diff --git a/go.mod b/go.mod index 76164fed5f..bc9a776ed6 100644 --- a/go.mod +++ b/go.mod @@ -44,7 +44,7 @@ require ( k8s.io/client-go v0.35.1 k8s.io/utils v0.0.0-20260108192941-914a6e750570 sigs.k8s.io/controller-runtime v0.23.3 - sigs.k8s.io/gateway-api v1.5.0 // Pinned to v1.4.1 in replace directive + sigs.k8s.io/gateway-api v1.4.1 ) require ( @@ -201,7 +201,7 @@ require ( gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect helm.sh/helm/v3 v3.18.6 // indirect - istio.io/istio v0.0.0-20260309041103-f67b89f49d1a // indirect + istio.io/istio v0.0.0-20260306174229-7da666217518 // indirect k8s.io/cli-runtime v0.35.0 // indirect k8s.io/component-base v0.35.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect @@ -223,11 +223,4 @@ require ( replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5 // Use the sail_library_ossm branch from aslakknutsen's fork for Sail Library integration -replace github.com/istio-ecosystem/sail-operator => github.com/aslakknutsen/sail-operator v0.0.0-20260318134045-4159c7d6ebbd - -// Pin gateway-api to v1.4.1 to avoid upgrading via transitive dependency. -// The sail-operator main branch uses the latest Istio, which depends on gateway-api v1.5.0. -// However, sail-operator itself doesn't use gateway-api, so pinning is safe and avoids -// unintended API changes in CIO's Gateway API implementation. -// Remove this when sail-operator switches to an OSSM release branch. -replace sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.4.1 +replace github.com/istio-ecosystem/sail-operator => github.com/aslakknutsen/sail-operator v0.0.0-20260325174717-0460eb7b4609 diff --git a/go.sum b/go.sum index d48791f2b7..86deaa0f4d 100644 --- a/go.sum +++ b/go.sum @@ -82,8 +82,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aslakknutsen/sail-operator v0.0.0-20260318134045-4159c7d6ebbd h1:vfI4hsUFuhLclPLC3oCi+wj7/jyDsNTSws2xCyhj/Sg= -github.com/aslakknutsen/sail-operator v0.0.0-20260318134045-4159c7d6ebbd/go.mod h1:M9xr1Yd0Vk4NATmQ0VFlAFhA4Xxv0UIe2vl1mZhk9JQ= +github.com/aslakknutsen/sail-operator v0.0.0-20260325174717-0460eb7b4609 h1:UtR8iaWMy+VAs6eZ6XLibJjYXhE5NXyx7Uaa6xl8tcc= +github.com/aslakknutsen/sail-operator v0.0.0-20260325174717-0460eb7b4609/go.mod h1:l5/9fIFLMnrArPGvg49DBrWZzi8LojS5OcGe9nJeeI4= github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= github.com/aws/aws-sdk-go v1.38.49 h1:E31vxjCe6a5I+mJLmUGaZobiWmg9KdWaud9IfceYeYQ= github.com/aws/aws-sdk-go v1.38.49/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= @@ -325,8 +325,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= -github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc= -github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= +github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18= +github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -351,8 +351,8 @@ github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJr github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -445,8 +445,8 @@ github.com/mdlayher/netlink v1.6.0 h1:rOHX5yl7qnlpiVkFWoqccueppMtXzeziFjWAjLg6sz github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA= github.com/mdlayher/socket v0.1.1 h1:q3uOGirUPfAV2MUoaC7BavjQ154J7+JOkTWyiV+intI= github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs= -github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI= -github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs= +github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA= +github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= @@ -486,13 +486,13 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.28.0 h1:Rrf+lVLmtlBIKv6KrIGJCjyY8N36vDVcutbGJkyqjJc= -github.com/onsi/ginkgo/v2 v2.28.0/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7mt48= -github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= -github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -659,8 +659,8 @@ go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5w go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= -go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= +go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= +go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -816,8 +816,8 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 h1:1hfbdAfFbkmpg41000wDVqr7jUpK/Yo+LPnIxxGzmkg= -google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2 h1:7LRqPCEdE4TP4/9psdaB7F2nhZFfBiGJomA5sojLWdU= -google.golang.org/genproto/googleapis/api v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2 h1:2I6GHUeJ/4shcDpoUlLs/2WPnhg7yJwvXtqcMJt9liA= google.golang.org/genproto/googleapis/rpc v0.0.0-20251213004720-97cd9d5aeac2/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -876,12 +876,12 @@ helm.sh/helm/v3 v3.18.6 h1:S/2CqcYnNfLckkHLI0VgQbxgcDaU3N4A/46E3n9wSNY= helm.sh/helm/v3 v3.18.6/go.mod h1:L/dXDR2r539oPlFP1PJqKAC1CUgqHJDLkxKpDGrWnyg= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -istio.io/api v1.29.0-alpha.0.0.20260302212057-b10ab91e9ded h1:fonoS3Wm6ir/iJsTJqyhR5027v/ptXA+RRtlNwHtOzg= -istio.io/api v1.29.0-alpha.0.0.20260302212057-b10ab91e9ded/go.mod h1:+brQWcBHoROuyA6fv8rbgg8Kfn0RCGuqoY0duCMuSLA= -istio.io/client-go v1.29.0-alpha.0.0.20260302212757-4d22331907bb h1:jK7RkLHCZta7D2Txj0ppMdJU3qyRcFYboQzvAgDPtJM= -istio.io/client-go v1.29.0-alpha.0.0.20260302212757-4d22331907bb/go.mod h1:c/UZ1LHBSIKeZnEQOMRybo7PPAznbOrgLnxxm8jMeHY= -istio.io/istio v0.0.0-20260309041103-f67b89f49d1a h1:kgHsCmLQj1sX4seZ6Euv0/3ICFqcAgFhkZdWzXPubgg= -istio.io/istio v0.0.0-20260309041103-f67b89f49d1a/go.mod h1:KE/3TTnFR2LNpcjiNKkAz7t1T0xi6S/T7ZLYqo4DxBQ= +istio.io/api v1.28.5-0.20260306154401-b08bd5908741 h1:DK00OZIwDVG/METF5BCf5x+6Rcy1fLCm4FVoK/eSSh4= +istio.io/api v1.28.5-0.20260306154401-b08bd5908741/go.mod h1:BD3qv/ekm16kvSgvSpuiDawgKhEwG97wx849CednJSg= +istio.io/client-go v1.28.5 h1:fkT84vKKwr2LYnvXDZo67SogByJfsSrRwVPlCxsOGEg= +istio.io/client-go v1.28.5/go.mod h1:DBtlSnmVgdxwjlAL572sM+q5YjyWJRwfN9Oa95ohzPI= +istio.io/istio v0.0.0-20260306174229-7da666217518 h1:wTSzA6ySwn5SU5vs6hAIYruAc+39MwGNwJzKYy7YlSw= +istio.io/istio v0.0.0-20260306174229-7da666217518/go.mod h1:AvwW8kBsPEMitVvHD7YF5MZ8Kqf8OgJoUtwB8O1gtog= k8s.io/api v0.35.1 h1:0PO/1FhlK/EQNVK5+txc4FuhQibV25VLSdLMmGpDE/Q= k8s.io/api v0.35.1/go.mod h1:28uR9xlXWml9eT0uaGo6y71xK86JBELShLy4wR1XtxM= k8s.io/apiextensions-apiserver v0.35.1 h1:p5vvALkknlOcAqARwjS20kJffgzHqwyQRM8vHLwgU7w= diff --git a/pkg/operator/controller/gatewayclass/controller.go b/pkg/operator/controller/gatewayclass/controller.go index 4fb046a3ec..79d895df18 100644 --- a/pkg/operator/controller/gatewayclass/controller.go +++ b/pkg/operator/controller/gatewayclass/controller.go @@ -85,15 +85,6 @@ const ( // 1. Sail Library mode: Uninstall Istio if this is the last GatewayClass, then remove finalizer // 2. Downgrade to OLM: Clean up Sail Library status and finalizer (then OLM takes over Istio) sailLibraryFinalizer = "openshift.io/ingress-operator-sail-finalizer" - - // Image configuration for Sail Library installations. - // These are only used for defaulting when CSV image annotations are missing, - // which should not happen in production clusters with proper OSSM release branches. - ossmImageRegistry = "registry.redhat.io/openshift-service-mesh" - istioImageIstiod = "istio-pilot-rhel9" - istioImageProxy = "istio-proxyv2-rhel9" - istioImageCNI = "istio-cni-rhel9" - istioImageZTunnel = "istio-ztunnel-rhel9" ) type extraIstioConfig struct { @@ -183,16 +174,6 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er return nil, err } } else { - // TODO: Remove this when we switch to an OSSM release branch with proper CSV image annotations. - // The main branch of sail-operator does not maintain image annotations in the CSV, - // causing Istio to fall back to upstream container images. This explicit configuration - // ensures Red Hat images are used until the release branch has the annotations properly maintained. - err := install.SetImageDefaults(resources.FS, ossmImageRegistry, install.ImageNames{ - Istiod: istioImageIstiod, - Proxy: istioImageProxy, - CNI: istioImageCNI, - ZTunnel: istioImageZTunnel, - }) if err != nil { return nil, fmt.Errorf("failed to set image defaults: %w", err) } diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go index e901bdd7ed..29730d0ed0 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go @@ -37,10 +37,10 @@ const ( type IstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.29-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.29.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.0", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a22c3091"} - // +kubebuilder:validation:Enum=v1.29-latest;v1.29.0;v1.28-latest;v1.28.4;v1.28.3;v1.28.2;v1.28.1;v1.28.0;v1.27-latest;v1.27.7;v1.27.6;v1.27.5;v1.27.4;v1.27.3;v1.27.2;v1.27.1;v1.27.0;v1.26-latest;v1.26.8;v1.26.7;v1.26.6;v1.26.5;v1.26.4;v1.26.3;v1.26.2;v1.26.1;v1.26.0;v1.25-latest;v1.25.5;v1.25.4;v1.25.3;v1.25.2;v1.25.1;v1.24-latest;v1.24.6;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23-latest;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22-latest;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;master;v1.30-alpha.a22c3091 - // +kubebuilder:default=v1.29.0 + // Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.2"} + // +kubebuilder:validation:Enum=v1.28-latest;v1.28.5;v1.28.4;v1.27-latest;v1.27.8;v1.27.5;v1.27.3;v1.26-latest;v1.26.8;v1.26.6;v1.26.4;v1.26.3;v1.26.2 + // +kubebuilder:default=v1.28.5 Version string `json:"version"` // Defines the update strategy to use when the version in the Istio CR is updated. @@ -282,7 +282,7 @@ type Istio struct { // +optional metav1.ObjectMeta `json:"metadata"` - // +kubebuilder:default={version: "v1.29.0", namespace: "istio-system", updateStrategy: {type:"InPlace"}} + // +kubebuilder:default={version: "v1.28.5", namespace: "istio-system", updateStrategy: {type:"InPlace"}} // +optional Spec IstioSpec `json:"spec"` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go index d80a082389..fa5b83ec9c 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go @@ -28,10 +28,10 @@ const ( type IstioCNISpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.29-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.29.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.0", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a22c3091"} - // +kubebuilder:validation:Enum=v1.29-latest;v1.29.0;v1.28-latest;v1.28.4;v1.28.3;v1.28.2;v1.28.1;v1.28.0;v1.27-latest;v1.27.7;v1.27.6;v1.27.5;v1.27.4;v1.27.3;v1.27.2;v1.27.1;v1.27.0;v1.26-latest;v1.26.8;v1.26.7;v1.26.6;v1.26.5;v1.26.4;v1.26.3;v1.26.2;v1.26.1;v1.26.0;v1.25-latest;v1.25.5;v1.25.4;v1.25.3;v1.25.2;v1.25.1;v1.24-latest;v1.24.6;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23-latest;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22-latest;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;master;v1.30-alpha.a22c3091 - // +kubebuilder:default=v1.29.0 + // Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.2"} + // +kubebuilder:validation:Enum=v1.28-latest;v1.28.5;v1.28.4;v1.27-latest;v1.27.8;v1.27.5;v1.27.3;v1.26-latest;v1.26.8;v1.26.6;v1.26.4;v1.26.3;v1.26.2 + // +kubebuilder:default=v1.28.5 Version string `json:"version"` // +sail:profile @@ -181,7 +181,7 @@ type IstioCNI struct { // +optional metav1.ObjectMeta `json:"metadata"` - // +kubebuilder:default={version: "v1.29.0", namespace: "istio-cni"} + // +kubebuilder:default={version: "v1.28.5", namespace: "istio-cni"} // +optional Spec IstioCNISpec `json:"spec"` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go index 29cc51bf49..a5e6435315 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go @@ -30,9 +30,9 @@ const ( type IstioRevisionSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.29.0, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, v1.30-alpha.a22c3091. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.29.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a22c3091"} - // +kubebuilder:validation:Enum=v1.29.0;v1.28.4;v1.28.3;v1.28.2;v1.28.1;v1.28.0;v1.27.7;v1.27.6;v1.27.5;v1.27.4;v1.27.3;v1.27.2;v1.27.1;v1.27.0;v1.26.8;v1.26.7;v1.26.6;v1.26.5;v1.26.4;v1.26.3;v1.26.2;v1.26.1;v1.26.0;v1.25.5;v1.25.4;v1.25.3;v1.25.2;v1.25.1;v1.24.6;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;v1.30-alpha.a22c3091 + // Must be one of: v1.28.5, v1.28.4, v1.27.8, v1.27.5, v1.27.3, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.2"} + // +kubebuilder:validation:Enum=v1.28.5;v1.28.4;v1.27.8;v1.27.5;v1.27.3;v1.26.8;v1.26.6;v1.26.4;v1.26.3;v1.26.2 Version string `json:"version"` // Namespace to which the Istio components should be installed. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go index e7015a9df7..3eee3f425f 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go @@ -455,14 +455,8 @@ type GlobalConfig struct { NetworkPolicy *NetworkPolicyConfig `json:"networkPolicy,omitempty"` // Specifies resource scope for discovery selectors. // This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - ResourceScope ResourceScope `json:"resourceScope,omitempty"` - // Specifies how proxies are configured within Istio. - Agentgateway *Agentgateway `json:"agentgateway,omitempty"` // The next available key is 78 - -} + ResourceScope ResourceScope `json:"resourceScope,omitempty"` // The next available key is 77 -type Agentgateway struct { - Image *string `json:"image,omitempty"` } // Configuration for Security Token Service (STS) server. @@ -656,8 +650,6 @@ type PilotConfig struct { IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"` // Configuration for the istio-discovery chart EnvVarFrom []k8sv1.EnvVar `json:"envVarFrom,omitempty"` - // Select a custom name for istiod's plugged-in CA CRL ConfigMap. - CrlConfigMapName *string `json:"crlConfigMapName,omitempty"` } type PilotTaintControllerConfig struct { @@ -768,10 +760,6 @@ type ProxyConfig struct { ReadinessPeriodSeconds *uint32 `json:"readinessPeriodSeconds,omitempty"` // Sets the number of successive failed probes before indicating readiness failure. ReadinessFailureThreshold *uint32 `json:"readinessFailureThreshold,omitempty"` - // Configures the seccomp profile for the istio-validation and istio-proxy containers. - // - // See: https://kubernetes.io/docs/tutorials/security/seccomp/ - SeccompProfile *k8sv1.SeccompProfile `json:"seccompProfile,omitempty"` // Configures the startup probe for the istio-proxy container. StartupProbe *StartupProbe `json:"startupProbe,omitempty"` // Default port used for the Pilot agent's health checks. @@ -1045,13 +1033,13 @@ type NetworkPolicyConfig struct { const filePkgApisValuesTypesProtoRawDesc = "" + "\n" + - "\x1bpkg/apis/values_types.proto\x12\x17istio.operator.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\"h\n" + + "\x1bpkg/apis/values_types.proto\x12\x17istio.operator.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\"k8s.io/api/core/v1/generated.proto\x1a4k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"h\n" + "\n" + "ArchConfig\x12\x14\n" + "\x05amd64\x18\x01 \x01(\rR\x05amd64\x12\x18\n" + "\appc64le\x18\x02 \x01(\rR\appc64le\x12\x14\n" + "\x05s390x\x18\x03 \x01(\rR\x05s390x\x12\x14\n" + - "\x05arm64\x18\x04 \x01(\rR\x05arm64\"\x90\f\n" + + "\x05arm64\x18\x04 \x01(\rR\x05arm64\"\xa0\f\n" + "\tCNIConfig\x124\n" + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x12\x10\n" + "\x03hub\x18\x02 \x01(\tR\x03hub\x12(\n" + @@ -1067,8 +1055,8 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "cniConfDir\x12(\n" + "\x0fcniConfFileName\x18\b \x01(\tR\x0fcniConfFileName\x12 \n" + "\vcniNetnsDir\x18\x1f \x01(\tR\vcniNetnsDir\x12,\n" + - "\x11excludeNamespaces\x18\t \x03(\tR\x11excludeNamespaces\x123\n" + - "\baffinity\x18\x14 \x01(\v2\x17.google.protobuf.StructR\baffinity\x12)\n" + + "\x11excludeNamespaces\x18\t \x03(\tR\x11excludeNamespaces\x128\n" + + "\baffinity\x18\x14 \x01(\v2\x1c.k8s.io.api.core.v1.AffinityR\baffinity\x12)\n" + "\x03env\x18 \x01(\v2\x17.google.protobuf.StructR\x03env\x12A\n" + "\x0fdaemonSetLabels\x18! \x01(\v2\x17.google.protobuf.StructR\x0fdaemonSetLabels\x12C\n" + "\x0epodAnnotations\x18\n" + @@ -1083,8 +1071,8 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\tresources\x18\x11 \x01(\v2\".istio.operator.v1alpha1.ResourcesR\tresources\x12>\n" + "\n" + "privileged\x18\x12 \x01(\v2\x1a.google.protobuf.BoolValueB\x02\x18\x01R\n" + - "privileged\x12?\n" + - "\x0eseccompProfile\x18\x13 \x01(\v2\x17.google.protobuf.StructR\x0eseccompProfile\x12C\n" + + "privileged\x12J\n" + + "\x0eseccompProfile\x18\x13 \x01(\v2\".k8s.io.api.core.v1.SeccompProfileR\x0eseccompProfile\x12C\n" + "\aambient\x18\x15 \x01(\v2).istio.operator.v1alpha1.CNIAmbientConfigR\aambient\x12\x1a\n" + "\bprovider\x18\x16 \x01(\tR\bprovider\x12Z\n" + "\x15rollingMaxUnavailable\x18\x17 \x01(\v2$.istio.operator.v1alpha1.IntOrStringR\x15rollingMaxUnavailable\x12L\n" + @@ -1138,7 +1126,7 @@ const filePkgApisValuesTypesProtoRawDesc = "" + " DefaultPodDisruptionBudgetConfig\x124\n" + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\"f\n" + "\x16DefaultResourcesConfig\x12L\n" + - "\brequests\x18\x01 \x01(\v20.istio.operator.v1alpha1.ResourcesRequestsConfigR\brequests\"\xfb\x0e\n" + + "\brequests\x18\x01 \x01(\v20.istio.operator.v1alpha1.ResourcesRequestsConfigR\brequests\"\xbb\x0f\n" + "\x13EgressGatewayConfig\x12F\n" + "\x10autoscaleEnabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\x10autoscaleEnabled\x12\"\n" + "\fautoscaleMax\x18\x02 \x01(\rR\fautoscaleMax\x12\"\n" + @@ -1152,15 +1140,15 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x04name\x18\x19 \x01(\tR\x04name\x12?\n" + "\fnodeSelector\x18\n" + " \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\fnodeSelector\x12C\n" + - "\x0epodAnnotations\x18\v \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12_\n" + - "\x1cpodAntiAffinityLabelSelector\x18\f \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x1cpodAntiAffinityLabelSelector\x12g\n" + - " podAntiAffinityTermLabelSelector\x18\r \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R podAntiAffinityTermLabelSelector\x12:\n" + + "\x0epodAnnotations\x18\v \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12{\n" + + "\x1cpodAntiAffinityLabelSelector\x18\f \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorB\x02\x18\x01R\x1cpodAntiAffinityLabelSelector\x12\x83\x01\n" + + " podAntiAffinityTermLabelSelector\x18\r \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorB\x02\x18\x01R podAntiAffinityTermLabelSelector\x12:\n" + "\x05ports\x18\x0e \x03(\v2$.istio.operator.v1alpha1.PortsConfigR\x05ports\x12D\n" + "\tresources\x18\x0f \x01(\v2\".istio.operator.v1alpha1.ResourcesB\x02\x18\x01R\tresources\x12K\n" + "\rsecretVolumes\x18\x10 \x03(\v2%.istio.operator.v1alpha1.SecretVolumeR\rsecretVolumes\x12G\n" + "\x12serviceAnnotations\x18\x11 \x01(\v2\x17.google.protobuf.StructR\x12serviceAnnotations\x12\x12\n" + - "\x04type\x18\x12 \x01(\tR\x04type\x12=\n" + - "\vtolerations\x18\x14 \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\vtolerations\x12R\n" + + "\x04type\x18\x12 \x01(\tR\x04type\x12D\n" + + "\vtolerations\x18\x14 \x03(\v2\x1e.k8s.io.api.core.v1.TolerationB\x02\x18\x01R\vtolerations\x12R\n" + "\x0frollingMaxSurge\x18\x15 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x0frollingMaxSurge\x12^\n" + "\x15rollingMaxUnavailable\x18\x16 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x15rollingMaxUnavailable\x12=\n" + "\rconfigVolumes\x18\x17 \x03(\v2\x17.google.protobuf.StructR\rconfigVolumes\x12K\n" + @@ -1181,15 +1169,15 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x14istio_ingressgateway\x18\x04 \x01(\v2-.istio.operator.v1alpha1.IngressGatewayConfigR\x14istio-ingressgateway\x12@\n" + "\x0fsecurityContext\x18\n" + " \x01(\v2\x16.google.protobuf.ValueR\x0fsecurityContext\x12>\n" + - "\x0eseccompProfile\x18\f \x01(\v2\x16.google.protobuf.ValueR\x0eseccompProfile\"\xf1\x14\n" + + "\x0eseccompProfile\x18\f \x01(\v2\x16.google.protobuf.ValueR\x0eseccompProfile\"\xad\x14\n" + "\fGlobalConfig\x12;\n" + "\x04arch\x18\x01 \x01(\v2#.istio.operator.v1alpha1.ArchConfigB\x02\x18\x01R\x04arch\x12 \n" + "\vcertSigners\x18D \x03(\tR\vcertSigners\x12F\n" + "\x10configValidation\x18\x03 \x01(\v2\x1a.google.protobuf.BoolValueR\x10configValidation\x12M\n" + "\x13defaultNodeSelector\x18\x06 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x13defaultNodeSelector\x12y\n" + "\x1adefaultPodDisruptionBudget\x18\a \x01(\v29.istio.operator.v1alpha1.DefaultPodDisruptionBudgetConfigR\x1adefaultPodDisruptionBudget\x12_\n" + - "\x10defaultResources\x18\t \x01(\v2/.istio.operator.v1alpha1.DefaultResourcesConfigB\x02\x18\x01R\x10defaultResources\x12K\n" + - "\x12defaultTolerations\x187 \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x12defaultTolerations\x12\x10\n" + + "\x10defaultResources\x18\t \x01(\v2/.istio.operator.v1alpha1.DefaultResourcesConfigB\x02\x18\x01R\x10defaultResources\x12R\n" + + "\x12defaultTolerations\x187 \x03(\v2\x1e.k8s.io.api.core.v1.TolerationB\x02\x18\x01R\x12defaultTolerations\x12\x10\n" + "\x03hub\x18\f \x01(\tR\x03hub\x12(\n" + "\x0fimagePullPolicy\x18\r \x01(\tR\x0fimagePullPolicy\x12*\n" + "\x10imagePullSecrets\x18% \x03(\tR\x10imagePullSecrets\x12&\n" + @@ -1232,16 +1220,13 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x0ftrustBundleName\x18I \x01(\tR\x0ftrustBundleName\x12B\n" + "\x0enativeNftables\x18J \x01(\v2\x1a.google.protobuf.BoolValueR\x0enativeNftables\x12R\n" + "\rnetworkPolicy\x18K \x01(\v2,.istio.operator.v1alpha1.NetworkPolicyConfigR\rnetworkPolicy\x12L\n" + - "\rresourceScope\x18L \x01(\x0e2&.istio.operator.v1alpha1.ResourceScopeR\rresourceScope\x12I\n" + - "\fagentgateway\x18M \x01(\v2%.istio.operator.v1alpha1.AgentgatewayR\fagentgateway\"$\n" + - "\fAgentgateway\x12\x14\n" + - "\x05image\x18\x01 \x01(\tR\x05image\"-\n" + + "\rresourceScope\x18L \x01(\x0e2&.istio.operator.v1alpha1.ResourceScopeR\rresourceScope\"-\n" + "\tSTSConfig\x12 \n" + "\vservicePort\x18\x01 \x01(\rR\vservicePort\"R\n" + "\fIstiodConfig\x12B\n" + "\x0eenableAnalysis\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\x0eenableAnalysis\"+\n" + "\x13GlobalLoggingConfig\x12\x14\n" + - "\x05level\x18\x01 \x01(\tR\x05level\"\xf1\x10\n" + + "\x05level\x18\x01 \x01(\tR\x05level\"\xb1\x11\n" + "\x14IngressGatewayConfig\x12F\n" + "\x10autoscaleEnabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\x10autoscaleEnabled\x12\"\n" + "\fautoscaleMax\x18\x02 \x01(\rR\fautoscaleMax\x12\"\n" + @@ -1257,9 +1242,9 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x18loadBalancerSourceRanges\x18\x11 \x03(\tR\x18loadBalancerSourceRanges\x12\x12\n" + "\x04name\x18, \x01(\tR\x04name\x12?\n" + "\fnodeSelector\x18\x13 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\fnodeSelector\x12C\n" + - "\x0epodAnnotations\x18\x14 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12_\n" + - "\x1cpodAntiAffinityLabelSelector\x18\x15 \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x1cpodAntiAffinityLabelSelector\x12g\n" + - " podAntiAffinityTermLabelSelector\x18\x16 \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R podAntiAffinityTermLabelSelector\x12:\n" + + "\x0epodAnnotations\x18\x14 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12{\n" + + "\x1cpodAntiAffinityLabelSelector\x18\x15 \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorB\x02\x18\x01R\x1cpodAntiAffinityLabelSelector\x12\x83\x01\n" + + " podAntiAffinityTermLabelSelector\x18\x16 \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorB\x02\x18\x01R podAntiAffinityTermLabelSelector\x12:\n" + "\x05ports\x18\x17 \x03(\v2$.istio.operator.v1alpha1.PortsConfigR\x05ports\x12&\n" + "\freplicaCount\x18\x18 \x01(\rB\x02\x18\x01R\freplicaCount\x129\n" + "\tresources\x18\x19 \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\tresources\x12K\n" + @@ -1268,8 +1253,8 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x04type\x18\x1d \x01(\tR\x04type\x12R\n" + "\x0frollingMaxSurge\x18\x1f \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x0frollingMaxSurge\x12^\n" + "\x15rollingMaxUnavailable\x18 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x15rollingMaxUnavailable\x124\n" + - "\x15externalTrafficPolicy\x18\" \x01(\tR\x15externalTrafficPolicy\x12=\n" + - "\vtolerations\x18# \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\vtolerations\x12;\n" + + "\x15externalTrafficPolicy\x18\" \x01(\tR\x15externalTrafficPolicy\x12D\n" + + "\vtolerations\x18# \x03(\v2\x1e.k8s.io.api.core.v1.TolerationB\x02\x18\x01R\vtolerations\x12;\n" + "\fingressPorts\x18$ \x03(\v2\x17.google.protobuf.StructR\fingressPorts\x12K\n" + "\x14additionalContainers\x18% \x03(\v2\x17.google.protobuf.StructR\x14additionalContainers\x12=\n" + "\rconfigVolumes\x18& \x03(\v2\x17.google.protobuf.StructR\rconfigVolumes\x128\n" + @@ -1292,7 +1277,7 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x04mode\x18\x02 \x01(\x0e29.istio.operator.v1alpha1.OutboundTrafficPolicyConfig.ModeR\x04mode\"(\n" + "\x04Mode\x12\r\n" + "\tALLOW_ANY\x10\x00\x12\x11\n" + - "\rREGISTRY_ONLY\x10\x01\"\x8d\x13\n" + + "\rREGISTRY_ONLY\x10\x01\"\x98\x13\n" + "\vPilotConfig\x124\n" + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x12F\n" + "\x10autoscaleEnabled\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\x10autoscaleEnabled\x12\"\n" + @@ -1309,23 +1294,23 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x10deploymentLabels\x18\x0e \x01(\v2\x17.google.protobuf.StructR\x10deploymentLabels\x125\n" + "\tpodLabels\x18$ \x01(\v2\x17.google.protobuf.StructR\tpodLabels\x128\n" + "\tconfigMap\x18\x12 \x01(\v2\x1a.google.protobuf.BoolValueR\tconfigMap\x12)\n" + - "\x03env\x18\x15 \x01(\v2\x17.google.protobuf.StructR\x03env\x123\n" + - "\baffinity\x18\x16 \x01(\v2\x17.google.protobuf.StructR\baffinity\x12R\n" + + "\x03env\x18\x15 \x01(\v2\x17.google.protobuf.StructR\x03env\x128\n" + + "\baffinity\x18\x16 \x01(\v2\x1c.k8s.io.api.core.v1.AffinityR\baffinity\x12R\n" + "\x0frollingMaxSurge\x18\x18 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x0frollingMaxSurge\x12^\n" + - "\x15rollingMaxUnavailable\x18\x19 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x15rollingMaxUnavailable\x12=\n" + - "\vtolerations\x18\x1a \x03(\v2\x17.google.protobuf.StructB\x02\x18\x01R\vtolerations\x12C\n" + + "\x15rollingMaxUnavailable\x18\x19 \x01(\v2$.istio.operator.v1alpha1.IntOrStringB\x02\x18\x01R\x15rollingMaxUnavailable\x12D\n" + + "\vtolerations\x18\x1a \x03(\v2\x1e.k8s.io.api.core.v1.TolerationB\x02\x18\x01R\vtolerations\x12C\n" + "\x0epodAnnotations\x18\x1e \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12G\n" + "\x12serviceAnnotations\x18% \x01(\v2\x17.google.protobuf.StructR\x12serviceAnnotations\x12U\n" + "\x19serviceAccountAnnotations\x188 \x01(\v2\x17.google.protobuf.StructR\x19serviceAccountAnnotations\x128\n" + "\x17jwksResolverExtraRootCA\x18 \x01(\tR\x17jwksResolverExtraRootCA\x12\x10\n" + "\x03hub\x18\" \x01(\tR\x03hub\x12(\n" + "\x03tag\x18# \x01(\v2\x16.google.protobuf.ValueR\x03tag\x12\x18\n" + - "\avariant\x18' \x01(\tR\avariant\x12?\n" + - "\x0eseccompProfile\x18& \x01(\v2\x17.google.protobuf.StructR\x0eseccompProfile\x12U\n" + - "\x19topologySpreadConstraints\x18) \x03(\v2\x17.google.protobuf.StructR\x19topologySpreadConstraints\x12G\n" + - "\x12extraContainerArgs\x18* \x03(\v2\x17.google.protobuf.StructR\x12extraContainerArgs\x12;\n" + - "\fvolumeMounts\x181 \x03(\v2\x17.google.protobuf.StructR\fvolumeMounts\x121\n" + - "\avolumes\x183 \x03(\v2\x17.google.protobuf.StructR\avolumes\x12\x1e\n" + + "\avariant\x18' \x01(\tR\avariant\x12J\n" + + "\x0eseccompProfile\x18& \x01(\v2\".k8s.io.api.core.v1.SeccompProfileR\x0eseccompProfile\x12j\n" + + "\x19topologySpreadConstraints\x18) \x03(\v2,.k8s.io.api.core.v1.TopologySpreadConstraintR\x19topologySpreadConstraints\x12G\n" + + "\x12extraContainerArgs\x18* \x03(\v2\x17.google.protobuf.StructR\x12extraContainerArgs\x12C\n" + + "\fvolumeMounts\x181 \x03(\v2\x1f.k8s.io.api.core.v1.VolumeMountR\fvolumeMounts\x124\n" + + "\avolumes\x183 \x03(\v2\x1a.k8s.io.api.core.v1.VolumeR\avolumes\x12\x1e\n" + "\n" + "ipFamilies\x184 \x03(\tR\n" + "ipFamilies\x12&\n" + @@ -1337,8 +1322,7 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\fistiodRemote\x18= \x01(\v2+.istio.operator.v1alpha1.IstiodRemoteConfigR\fistiodRemote\x127\n" + "\n" + "envVarFrom\x18> \x03(\v2\x17.google.protobuf.StructR\n" + - "envVarFrom\x12*\n" + - "\x10crlConfigMapName\x18? \x01(\tR\x10crlConfigMapName\"T\n" + + "envVarFrom\"T\n" + "\x1aPilotTaintControllerConfig\x12\x18\n" + "\aenabled\x18\x01 \x01(\bR\aenabled\x12\x1c\n" + "\tnamespace\x18\x02 \x01(\tR\tnamespace\"\xc6\x01\n" + @@ -1368,8 +1352,7 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\n" + "targetPort\x18\x04 \x01(\x05R\n" + "targetPort\x12\x1a\n" + - "\bprotocol\x18\x05 \x01(\tR\bprotocol\"\x85\n" + - "\n" + + "\bprotocol\x18\x05 \x01(\tR\bprotocol\"\xca\t\n" + "\vProxyConfig\x12\x1e\n" + "\n" + "autoInject\x18\x04 \x01(\tR\n" + @@ -1388,16 +1371,15 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "privileged\x12B\n" + "\x1creadinessInitialDelaySeconds\x18\x14 \x01(\rR\x1creadinessInitialDelaySeconds\x126\n" + "\x16readinessPeriodSeconds\x18\x15 \x01(\rR\x16readinessPeriodSeconds\x12<\n" + - "\x19readinessFailureThreshold\x18\x16 \x01(\rR\x19readinessFailureThreshold\x12?\n" + - "\x0eseccompProfile\x18+ \x01(\v2\x17.google.protobuf.StructR\x0eseccompProfile\x12I\n" + + "\x19readinessFailureThreshold\x18\x16 \x01(\rR\x19readinessFailureThreshold\x12I\n" + "\fstartupProbe\x18) \x01(\v2%.istio.operator.v1alpha1.StartupProbeR\fstartupProbe\x12\x1e\n" + "\n" + "statusPort\x18\x17 \x01(\rR\n" + "statusPort\x12D\n" + "\tresources\x18\x18 \x01(\v2\".istio.operator.v1alpha1.ResourcesB\x02\x18\x01R\tresources\x127\n" + "\x06tracer\x18\x19 \x01(\x0e2\x1f.istio.operator.v1alpha1.tracerR\x06tracer\x122\n" + - "\x14excludeOutboundPorts\x18\x1c \x01(\tR\x14excludeOutboundPorts\x125\n" + - "\tlifecycle\x18$ \x01(\v2\x17.google.protobuf.StructR\tlifecycle\x12h\n" + + "\x14excludeOutboundPorts\x18\x1c \x01(\tR\x14excludeOutboundPorts\x12;\n" + + "\tlifecycle\x18$ \x01(\v2\x1d.k8s.io.api.core.v1.LifecycleR\tlifecycle\x12h\n" + "\x1fholdApplicationUntilProxyStarts\x18% \x01(\v2\x1a.google.protobuf.BoolValueB\x02\x18\x01R\x1fholdApplicationUntilProxyStarts\x120\n" + "\x13includeInboundPorts\x18& \x01(\tR\x13includeInboundPorts\x122\n" + "\x14includeOutboundPorts\x18' \x01(\tR\x14includeOutboundPorts\"p\n" + @@ -1417,12 +1399,12 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x04name\x18\x02 \x01(\tR\x04name\x12\x1e\n" + "\n" + "secretName\x18\x03 \x01(\tR\n" + - "secretName\"\xd9\x04\n" + + "secretName\"\x91\x05\n" + "\x15SidecarInjectorConfig\x12X\n" + "\x19enableNamespacesByDefault\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\x19enableNamespacesByDefault\x12.\n" + - "\x12reinvocationPolicy\x18\x03 \x01(\tR\x12reinvocationPolicy\x12I\n" + - "\x13neverInjectSelector\x18\v \x03(\v2\x17.google.protobuf.StructR\x13neverInjectSelector\x12K\n" + - "\x14alwaysInjectSelector\x18\f \x03(\v2\x17.google.protobuf.StructR\x14alwaysInjectSelector\x12L\n" + + "\x12reinvocationPolicy\x18\x03 \x01(\tR\x12reinvocationPolicy\x12e\n" + + "\x13neverInjectSelector\x18\v \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x13neverInjectSelector\x12g\n" + + "\x14alwaysInjectSelector\x18\f \x03(\v23.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x14alwaysInjectSelector\x12L\n" + "\x13rewriteAppHTTPProbe\x18\x10 \x01(\v2\x1a.google.protobuf.BoolValueR\x13rewriteAppHTTPProbe\x12I\n" + "\x13injectedAnnotations\x18\x13 \x01(\v2\x17.google.protobuf.StructR\x13injectedAnnotations\x12\"\n" + "\finjectionURL\x18\x16 \x01(\tR\finjectionURL\x125\n" + @@ -1487,14 +1469,14 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\vIntOrString\x12\x12\n" + "\x04type\x18\x01 \x01(\x03R\x04type\x123\n" + "\x06intVal\x18\x02 \x01(\v2\x1b.google.protobuf.Int32ValueR\x06intVal\x124\n" + - "\x06strVal\x18\x03 \x01(\v2\x1c.google.protobuf.StringValueR\x06strVal\"\xd4\x02\n" + + "\x06strVal\x18\x03 \x01(\v2\x1c.google.protobuf.StringValueR\x06strVal\"\xfe\x02\n" + "\x0eWaypointConfig\x12@\n" + - "\tresources\x18\x01 \x01(\v2\".istio.operator.v1alpha1.ResourcesR\tresources\x123\n" + - "\baffinity\x18\x02 \x01(\v2\x17.google.protobuf.StructR\baffinity\x12U\n" + - "\x19topologySpreadConstraints\x18\x03 \x03(\v2\x17.google.protobuf.StructR\x19topologySpreadConstraints\x12;\n" + - "\fnodeSelector\x18\x04 \x01(\v2\x17.google.protobuf.StructR\fnodeSelector\x127\n" + + "\tresources\x18\x01 \x01(\v2\".istio.operator.v1alpha1.ResourcesR\tresources\x128\n" + + "\baffinity\x18\x02 \x01(\v2\x1c.k8s.io.api.core.v1.AffinityR\baffinity\x12j\n" + + "\x19topologySpreadConstraints\x18\x03 \x03(\v2,.k8s.io.api.core.v1.TopologySpreadConstraintR\x19topologySpreadConstraints\x12D\n" + + "\fnodeSelector\x18\x04 \x01(\v2 .k8s.io.api.core.v1.NodeSelectorR\fnodeSelector\x12>\n" + "\n" + - "toleration\x18\x05 \x03(\v2\x17.google.protobuf.StructR\n" + + "toleration\x18\x05 \x03(\v2\x1e.k8s.io.api.core.v1.TolerationR\n" + "toleration\"K\n" + "\x13NetworkPolicyConfig\x124\n" + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled*C\n" + @@ -1659,44 +1641,6 @@ const ( MeshConfigServiceScopeConfigsScopeGlobal MeshConfigServiceScopeConfigsScope = "GLOBAL" ) -// ServiceAttributeEnrichment controls how service resource attributes -// (such as `service.name`, `service.namespace`, `service.version`, and -// `service.instance.id`) are populated in exported trace spans. -// +kubebuilder:validation:Enum=ISTIO_CANONICAL;OTEL_SEMANTIC_CONVENTIONS -type MeshConfigExtensionProviderServiceAttributeEnrichment string - -const ( - // Use Istio's default service attribute enrichment logic. - // The service name is determined by the `TracingServiceName` setting in - // `ProxyConfig` (e.g., based on the `app` label, canonical name, etc.). - MeshConfigExtensionProviderServiceAttributeEnrichmentIstioCanonical MeshConfigExtensionProviderServiceAttributeEnrichment = "ISTIO_CANONICAL" - // Follow the OpenTelemetry semantic conventions for Kubernetes service - // attributes. The service attributes are calculated following the fallback - // chain defined in: - // https://opentelemetry.io/docs/specs/semconv/non-normative/k8s-attributes/#service-attributes - // - // The fallback chain for `service.name` is: - // 1. `resource.opentelemetry.io/service.name` annotation on the pod - // 2. `app.kubernetes.io/name` label - // 3. Name of the owning Kubernetes resource (Deployment, StatefulSet, etc.) - // 4. Pod name - // 5. Container name (if single container in the pod) - // 6. `unknown_service` - // - // The fallback chain for `service.namespace` is: - // 1. `resource.opentelemetry.io/service.namespace` annotation on the pod - // 2. Kubernetes namespace name - // - // The fallback chain for `service.version` is: - // 1. `resource.opentelemetry.io/service.version` annotation on the pod - // 2. `app.kubernetes.io/version` label - // - // The fallback chain for `service.instance.id` is: - // 1. `resource.opentelemetry.io/service.instance.id` annotation on the pod - // 2. Pod UID - MeshConfigExtensionProviderServiceAttributeEnrichmentOtelSemanticConventions MeshConfigExtensionProviderServiceAttributeEnrichment = "OTEL_SEMANTIC_CONVENTIONS" -) - // Available trace context options for handling different trace header formats. // +kubebuilder:validation:Enum=USE_B3;USE_B3_WITH_W3C_PROPAGATION type MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption string @@ -1784,14 +1728,6 @@ type MeshConfig struct { // Connection timeout used by Envoy. (MUST be >=1ms) // Default timeout is 10s. ConnectTimeout *metav1.Duration `json:"connectTimeout,omitempty"` - // Idle timeout configured on Envoy proxies for their connection pools to ztunnel via HBONE. - // This controls how long Envoy will keep idle connections to ztunnel before closing them. - // Note: This setting is applied only on the Envoy proxy side; ztunnel does not use it. - // Default timeout is 1 hour (3600s). - // For environments with aggressive IP address reuse, it is recommended to set - // this to a value less than the CNI IP cooldown period to prevent stale connection reuse. - // For example, if your CNI has a 30s cooldown period, setting this to 15s is recommended. - HboneIdleTimeout *metav1.Duration `json:"hboneIdleTimeout,omitempty"` // +hidefromdoc // Automatic protocol detection uses a set of heuristics to // determine whether the connection is using TLS or not (on the @@ -2115,6 +2051,7 @@ type MeshConfig struct { // Note: Mesh mTLS does not respect ECDH curves. MeshMTLS *MeshConfigTLSConfig `json:"meshMTLS,omitempty"` // Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. + // Currently, this supports configuration of ecdhCurves and cipherSuites only. // For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. TlsDefaults *MeshConfigTLSConfig `json:"tlsDefaults,omitempty"` } @@ -2597,12 +2534,6 @@ type MeshConfigExtensionProviderZipkinTracingProvider struct { // This controls both downstream request header extraction and upstream request header injection. // The default value is USE_B3 to maintain backward compatibility. TraceContextOption MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption `json:"traceContextOption,omitempty"` - // Optional. The timeout for the HTTP request to the Zipkin collector. - // If not specified, the default timeout from Envoy's configuration will be used (which is 5 seconds currently). - Timeout *metav1.Duration `json:"timeout,omitempty"` - // Optional. Additional HTTP headers to include in the request to the Zipkin collector. - // These headers will be added to the HTTP request when sending spans to the collector. - Headers []*MeshConfigExtensionProviderHttpHeader `json:"headers,omitempty"` } // Defines configuration for a Lightstep tracer. @@ -2955,27 +2886,6 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct { // // ``` ResourceDetectors *MeshConfigExtensionProviderResourceDetectors `json:"resourceDetectors,omitempty"` - // Optional. Controls how service resource attributes are enriched in - // exported trace spans. When set to `OTEL_SEMANTIC_CONVENTIONS`, the - // service attributes (`service.name`, `service.namespace`, - // `service.version`, `service.instance.id`) will be populated following - // the OpenTelemetry semantic conventions for Kubernetes: - // https://opentelemetry.io/docs/specs/semconv/non-normative/k8s-attributes/#service-attributes - // - // When not set or set to `ISTIO_CANONICAL`, Istio's default enrichment - // logic is used (controlled by `TracingServiceName` in `ProxyConfig`). - // - // Example: - // ```yaml - // extensionProviders: - // - name: otel-tracing - // opentelemetry: - // port: 443 - // service: my.olly-backend.com - // serviceAttributeEnrichment: OTEL_SEMANTIC_CONVENTIONS - // - // ``` - ServiceAttributeEnrichment MeshConfigExtensionProviderServiceAttributeEnrichment `json:"serviceAttributeEnrichment,omitempty"` // The Dynatrace adaptive traffic management (ATM) sampler. // @@ -3194,14 +3104,13 @@ type MeshConfigExtensionProviderResourceDetectorsDynatraceResourceDetector struc const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\n" + - "\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a)networking/v1alpha3/virtual_service.proto\"\xe6r\n" + + "\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a)networking/v1alpha3/virtual_service.proto\"\xf7n\n" + "\n" + "MeshConfig\x12*\n" + "\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x129\n" + "\x19proxy_inbound_listen_port\x18A \x01(\x05R\x16proxyInboundListenPort\x12&\n" + "\x0fproxy_http_port\x18\x05 \x01(\x05R\rproxyHttpPort\x12B\n" + - "\x0fconnect_timeout\x18\x06 \x01(\v2\x19.google.protobuf.DurationR\x0econnectTimeout\x12G\n" + - "\x12hbone_idle_timeout\x18F \x01(\v2\x19.google.protobuf.DurationR\x10hboneIdleTimeout\x12W\n" + + "\x0fconnect_timeout\x18\x06 \x01(\v2\x19.google.protobuf.DurationR\x0econnectTimeout\x12W\n" + "\x1aprotocol_detection_timeout\x18* \x01(\v2\x19.google.protobuf.DurationR\x18protocolDetectionTimeout\x12o\n" + "\rtcp_keepalive\x18\x1c \x01(\v2J.istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveR\ftcpKeepalive\x12#\n" + "\ringress_class\x18\a \x01(\tR\fingressClass\x12'\n" + @@ -3278,7 +3187,7 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\ftls_settings\x18\x02 \x01(\v2,.istio.networking.v1alpha3.ClientTLSSettingsR\vtlsSettings\x12B\n" + "\x0frequest_timeout\x18\x03 \x01(\v2\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n" + "\vistiod_side\x18\x04 \x01(\bR\n" + - "istiodSide\x1a\xb2C\n" + + "istiodSide\x1a\xc2@\n" + "\x11ExtensionProvider\x12\x12\n" + "\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n" + "\x14envoy_ext_authz_http\x18\x02 \x01(\v2X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11envoyExtAuthzHttp\x12\x8b\x01\n" + @@ -3334,16 +3243,14 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\tfail_open\x18\x03 \x01(\bR\bfailOpen\x12*\n" + "\x11clear_route_cache\x18\a \x01(\bR\x0fclearRouteCache\x12&\n" + "\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnError\x12\x99\x01\n" + - "\x1dinclude_request_body_in_check\x18\x06 \x01(\v2W.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBodyR\x19includeRequestBodyInCheck\x1a\x91\x04\n" + + "\x1dinclude_request_body_in_check\x18\x06 \x01(\v2W.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBodyR\x19includeRequestBodyInCheck\x1a\x84\x03\n" + "\x15ZipkinTracingProvider\x12\x18\n" + "\aservice\x18\x01 \x01(\tR\aservice\x12\x12\n" + "\x04port\x18\x02 \x01(\rR\x04port\x12$\n" + "\x0emax_tag_length\x18\x03 \x01(\rR\fmaxTagLength\x121\n" + "\x15enable_64bit_trace_id\x18\x04 \x01(\bR\x12enable64bitTraceId\x12\x12\n" + "\x04path\x18\x05 \x01(\tR\x04path\x12\x8c\x01\n" + - "\x14trace_context_option\x18\x06 \x01(\x0e2Z.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider.TraceContextOptionR\x12traceContextOption\x123\n" + - "\atimeout\x18\a \x01(\v2\x19.google.protobuf.DurationR\atimeout\x12V\n" + - "\aheaders\x18\b \x03(\v2<.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.HttpHeaderR\aheaders\"A\n" + + "\x14trace_context_option\x18\x06 \x01(\x0e2Z.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider.TraceContextOptionR\x12traceContextOption\"A\n" + "\x12TraceContextOption\x12\n" + "\n" + "\x06USE_B3\x10\x00\x12\x1f\n" + @@ -3416,7 +3323,7 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "log_format\x18\x04 \x01(\v2Y.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormatR\tlogFormat\x1aP\n" + "\tLogFormat\x12\x12\n" + "\x04text\x18\x01 \x01(\tR\x04text\x12/\n" + - "\x06labels\x18\x02 \x01(\v2\x17.google.protobuf.StructR\x06labels\x1a\xdd\b\n" + + "\x06labels\x18\x02 \x01(\v2\x17.google.protobuf.StructR\x06labels\x1a\xcc\a\n" + "\x1cOpenTelemetryTracingProvider\x12\x18\n" + "\aservice\x18\x01 \x01(\tR\aservice\x12\x12\n" + "\x04port\x18\x02 \x01(\rR\x04port\x12$\n" + @@ -3424,7 +3331,6 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\x04http\x18\x04 \x01(\v2=.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.HttpServiceR\x04http\x12Q\n" + "\x04grpc\x18\a \x01(\v2=.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.GrpcServiceR\x04grpc\x12r\n" + "\x12resource_detectors\x18\x05 \x01(\v2C.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ResourceDetectorsR\x11resourceDetectors\x12\x8e\x01\n" + - "\x1cservice_attribute_enrichment\x18\b \x01(\x0e2L.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ServiceAttributeEnrichmentR\x1aserviceAttributeEnrichment\x12\x8e\x01\n" + "\x11dynatrace_sampler\x18\x06 \x01(\v2_.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider.DynatraceSamplerH\x00R\x10dynatraceSampler\x1a\xa0\x03\n" + "\x10DynatraceSampler\x12\x16\n" + "\x06tenant\x18\x01 \x01(\tR\x06tenant\x12\x1d\n" + @@ -3459,10 +3365,7 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\x19DynatraceResourceDetector\x1a\xab\x01\n" + "\vGrpcService\x123\n" + "\atimeout\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\atimeout\x12g\n" + - "\x10initial_metadata\x18\x02 \x03(\v2<.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.HttpHeaderR\x0finitialMetadata\"P\n" + - "\x1aServiceAttributeEnrichment\x12\x13\n" + - "\x0fISTIO_CANONICAL\x10\x00\x12\x1d\n" + - "\x19OTEL_SEMANTIC_CONVENTIONS\x10\x01B\n" + + "\x10initial_metadata\x18\x02 \x03(\v2<.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.HttpHeaderR\x0finitialMetadataB\n" + "\n" + "\bprovider\x1am\n" + "\x10DefaultProviders\x12\x18\n" + @@ -3503,7 +3406,7 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\x0fH2UpgradePolicy\x12\x12\n" + "\x0eDO_NOT_UPGRADE\x10\x00\x12\v\n" + "\aUPGRADE\x10\x01J\x04\b1\x102J\x04\b\x01\x10\x02J\x04\b\x02\x10\x03J\x04\b\x03\x10\x04J\x04\b0\x101J\x04\b\x19\x10\x1aJ\x04\b\x1e\x10\x1fJ\x04\b\n" + - "\x10\vJ\x04\b\v\x10\fJ\x04\b\x0f\x10\x10J\x04\b\x10\x10\x11J\x04\b\x12\x10\x13J\x04\b\x13\x10\x14J\x04\b\x14\x10\x15J\x04\b\x15\x10\x16J\x04\b\x17\x10\x18J\x04\b\x1d\x10\x1eJ\x04\b5\x106J\x04\b%\x10&J\x04\b&\x10'J\x04\b'\x10(J\x04\bD\x10EJ\x04\bE\x10FR\rthrift_configR\x12mixer_check_serverR\x13mixer_report_serverR\x15disable_policy_checksR\x1adisable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\vauth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1fenable_client_side_policy_checkR\fsds_uds_pathR\x11sds_refresh_delayR\x16enable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14disable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_timeR\x13file_flush_intervalR\x13file_flush_min_size\"\x81\x02\n" + + "\x10\vJ\x04\b\v\x10\fJ\x04\b\x0f\x10\x10J\x04\b\x10\x10\x11J\x04\b\x12\x10\x13J\x04\b\x13\x10\x14J\x04\b\x14\x10\x15J\x04\b\x15\x10\x16J\x04\b\x17\x10\x18J\x04\b\x1d\x10\x1eJ\x04\b5\x106J\x04\b%\x10&J\x04\b&\x10'J\x04\b'\x10(R\rthrift_configR\x12mixer_check_serverR\x13mixer_report_serverR\x15disable_policy_checksR\x1adisable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\vauth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1fenable_client_side_policy_checkR\fsds_uds_pathR\x11sds_refresh_delayR\x16enable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14disable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_time\"\x81\x02\n" + "\rLabelSelector\x12U\n" + "\vmatchLabels\x18\x01 \x03(\v23.istio.mesh.v1alpha1.LabelSelector.MatchLabelsEntryR\vmatchLabels\x12Y\n" + "\x10matchExpressions\x18\x02 \x03(\v2-.istio.mesh.v1alpha1.LabelSelectorRequirementR\x10matchExpressions\x1a>\n" + @@ -3564,7 +3467,7 @@ type Network struct { // If `ENABLE_HCM_INTERNAL_NETWORKS` is set to true, MeshNetworks can be used to // to explicitly define the networks in Envoy's internal address configuration. // Envoy uses the IPs in the `internalAddressConfig` to decide whether or not to sanitize -// Envoy headers. If the IP address is listed as internal, the Envoy headers are not +// Envoy headers. If the IP address is listed an internal, the Envoy headers are not // sanitized. As of Envoy 1.33, the default value for `internalAddressConfig` is set to // an empty set. Previously, the default value was the set of all private IPs. Setting // the `internalAddressConfig` to all private IPs (via Envoy's previous default behavior @@ -4118,19 +4021,6 @@ type MeshConfigProxyConfig struct { // // ``` ProxyHeaders *ProxyConfigProxyHeaders `json:"proxyHeaders,omitempty"` - // File flush interval for envoy flushes buffers to disk in milliseconds. - // The duration needs to be set to a value greater than or equal to 1 millisecond. - // Default is 1000ms. - // Optional. - FileFlushInterval *metav1.Duration `json:"fileFlushInterval,omitempty"` - // File flush buffer size for envoy flushes buffers to disk in kilobytes. - // Defaults to 64. - // Optional. - FileFlushMinSizeKb *uint32 `json:"fileFlushMinSizeKb,omitempty"` - // Offer HTTP compression for stats - // Defaults to true. - // Optional. - StatsCompression *bool `json:"statsCompression,omitempty"` } type RemoteService struct { @@ -4476,7 +4366,7 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" + "poll_delay\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\tpollDelay\x126\n" + "\bfallback\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\bfallbackB\n" + "\n" + - "\bprovider\"\xeb'\n" + + "\bprovider\"\xa3&\n" + "\vProxyConfig\x12\x1f\n" + "\vconfig_path\x18\x01 \x01(\tR\n" + "configPath\x12\x1f\n" + @@ -4517,10 +4407,7 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" + "\x13ca_certificates_pem\x18\" \x03(\tR\x11caCertificatesPem\x12:\n" + "\x05image\x18# \x01(\v2$.istio.networking.v1beta1.ProxyImageR\x05image\x12Y\n" + "\x14private_key_provider\x18& \x01(\v2'.istio.mesh.v1alpha1.PrivateKeyProviderR\x12privateKeyProvider\x12R\n" + - "\rproxy_headers\x18' \x01(\v2-.istio.mesh.v1alpha1.ProxyConfig.ProxyHeadersR\fproxyHeaders\x12I\n" + - "\x13file_flush_interval\x18( \x01(\v2\x19.google.protobuf.DurationR\x11fileFlushInterval\x122\n" + - "\x16file_flush_min_size_kb\x18) \x01(\rR\x12fileFlushMinSizeKb\x12G\n" + - "\x11stats_compression\x18* \x01(\v2\x1a.google.protobuf.BoolValueR\x10statsCompression\x1a@\n" + + "\rproxy_headers\x18' \x01(\v2-.istio.mesh.v1alpha1.ProxyConfig.ProxyHeadersR\fproxyHeaders\x1a@\n" + "\x12ProxyMetadataEntry\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1a@\n" + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go index 7bc96e5c34..b6f2a5f059 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go @@ -23,11 +23,6 @@ type SDSConfigToken struct { Aud string `json:"aud,omitempty"` } -type PeerCaCrlConfig struct { - // When enabled, ztunnel will check certificates against the CRL - Enabled *bool `json:"enabled,omitempty"` -} - type CNIValues struct { // Configuration for the Istio CNI plugin. Cni *CNIConfig `json:"cni,omitempty"` @@ -80,9 +75,6 @@ type ZTunnelConfig struct { Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` // The resource quotas configuration for ztunnel ResourceQuotas *ResourceQuotas `json:"resourceQuotas,omitempty"` - // Certificate Revocation List (CRL) support for plugged-in CAs. - // When enabled, ztunnel will check certificates against the CRL - PeerCaCrl *PeerCaCrlConfig `json:"peerCaCrl,omitempty"` // K8s node selector settings. // // See https://kubernetes.io/docs/user-guide/node-selection/ @@ -127,13 +119,6 @@ type ZTunnelConfig struct { SeLinuxOptions *k8sv1.SELinuxOptions `json:"seLinuxOptions,omitempty"` // Defines the update strategy to use when the version in the Ztunnel CR is updated. UpdateStrategy *appsv1.DaemonSetUpdateStrategy `json:"updateStrategy,omitempty"` - // DNS policy for the ztunnel pod - // More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - // +kubebuilder:validation:Enum=ClusterFirstWithHostNet;ClusterFirst;Default;None - DNSPolicy *k8sv1.DNSPolicy `json:"dnsPolicy,omitempty"` - // DNS config for the ztunnel pod - // https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config - DNSConfig *k8sv1.PodDNSConfig `json:"dnsConfig,omitempty"` } // ZTunnelGlobalConfig is a subset of the Global Configuration used in the Istio ztunnel chart. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go index 793a55cc34..278c000e97 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go @@ -28,10 +28,10 @@ const ( type ZTunnelSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.29-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.29.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.0", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a22c3091"} - // +kubebuilder:validation:Enum=v1.29-latest;v1.29.0;v1.28-latest;v1.28.4;v1.28.3;v1.28.2;v1.28.1;v1.28.0;v1.27-latest;v1.27.7;v1.27.6;v1.27.5;v1.27.4;v1.27.3;v1.27.2;v1.27.1;v1.27.0;v1.26-latest;v1.26.8;v1.26.7;v1.26.6;v1.26.5;v1.26.4;v1.26.3;v1.26.2;v1.26.1;v1.26.0;v1.25-latest;v1.25.5;v1.25.4;v1.25.3;v1.25.2;v1.25.1;v1.24-latest;v1.24.6;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;master;v1.30-alpha.a22c3091 - // +kubebuilder:default=v1.29.0 + // Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.2"} + // +kubebuilder:validation:Enum=v1.28-latest;v1.28.5;v1.28.4;v1.27-latest;v1.27.8;v1.27.5;v1.27.3;v1.26-latest;v1.26.8;v1.26.6;v1.26.4;v1.26.3;v1.26.2 + // +kubebuilder:default=v1.28.5 Version string `json:"version"` // Namespace to which the Istio ztunnel component should be installed. @@ -172,7 +172,7 @@ type ZTunnel struct { // +optional metav1.ObjectMeta `json:"metadata"` - // +kubebuilder:default={version: "v1.29.0", namespace: "ztunnel"} + // +kubebuilder:default={version: "v1.28.5", namespace: "ztunnel"} // +optional Spec ZTunnelSpec `json:"spec"` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go index f22c3f0e10..fd18a2eb1f 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go @@ -28,26 +28,6 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Agentgateway) DeepCopyInto(out *Agentgateway) { - *out = *in - if in.Image != nil { - in, out := &in.Image, &out.Image - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Agentgateway. -func (in *Agentgateway) DeepCopy() *Agentgateway { - if in == nil { - return nil - } - out := new(Agentgateway) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ArchConfig) DeepCopyInto(out *ArchConfig) { *out = *in @@ -915,11 +895,6 @@ func (in *GlobalConfig) DeepCopyInto(out *GlobalConfig) { *out = new(NetworkPolicyConfig) (*in).DeepCopyInto(*out) } - if in.Agentgateway != nil { - in, out := &in.Agentgateway, &out.Agentgateway - *out = new(Agentgateway) - (*in).DeepCopyInto(*out) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalConfig. @@ -1684,11 +1659,6 @@ func (in *MeshConfig) DeepCopyInto(out *MeshConfig) { *out = new(metav1.Duration) **out = **in } - if in.HboneIdleTimeout != nil { - in, out := &in.HboneIdleTimeout, &out.HboneIdleTimeout - *out = new(metav1.Duration) - **out = **in - } if in.ProtocolDetectionTimeout != nil { in, out := &in.ProtocolDetectionTimeout, &out.ProtocolDetectionTimeout *out = new(metav1.Duration) @@ -3041,22 +3011,6 @@ func (in *MeshConfigExtensionProviderZipkinTracingProvider) DeepCopyInto(out *Me *out = new(string) **out = **in } - if in.Timeout != nil { - in, out := &in.Timeout, &out.Timeout - *out = new(metav1.Duration) - **out = **in - } - if in.Headers != nil { - in, out := &in.Headers, &out.Headers - *out = make([]*MeshConfigExtensionProviderHttpHeader, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(MeshConfigExtensionProviderHttpHeader) - (*in).DeepCopyInto(*out) - } - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProviderZipkinTracingProvider. @@ -3271,21 +3225,6 @@ func (in *MeshConfigProxyConfig) DeepCopyInto(out *MeshConfigProxyConfig) { *out = new(ProxyConfigProxyHeaders) (*in).DeepCopyInto(*out) } - if in.FileFlushInterval != nil { - in, out := &in.FileFlushInterval, &out.FileFlushInterval - *out = new(metav1.Duration) - **out = **in - } - if in.FileFlushMinSizeKb != nil { - in, out := &in.FileFlushMinSizeKb, &out.FileFlushMinSizeKb - *out = new(uint32) - **out = **in - } - if in.StatsCompression != nil { - in, out := &in.StatsCompression, &out.StatsCompression - *out = new(bool) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigProxyConfig. @@ -3606,26 +3545,6 @@ func (in *OutboundTrafficPolicyConfig) DeepCopy() *OutboundTrafficPolicyConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PeerCaCrlConfig) DeepCopyInto(out *PeerCaCrlConfig) { - *out = *in - if in.Enabled != nil { - in, out := &in.Enabled, &out.Enabled - *out = new(bool) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerCaCrlConfig. -func (in *PeerCaCrlConfig) DeepCopy() *PeerCaCrlConfig { - if in == nil { - return nil - } - out := new(PeerCaCrlConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PilotConfig) DeepCopyInto(out *PilotConfig) { *out = *in @@ -3853,11 +3772,6 @@ func (in *PilotConfig) DeepCopyInto(out *PilotConfig) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.CrlConfigMapName != nil { - in, out := &in.CrlConfigMapName, &out.CrlConfigMapName - *out = new(string) - **out = **in - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PilotConfig. @@ -4158,11 +4072,6 @@ func (in *ProxyConfig) DeepCopyInto(out *ProxyConfig) { *out = new(uint32) **out = **in } - if in.SeccompProfile != nil { - in, out := &in.SeccompProfile, &out.SeccompProfile - *out = new(corev1.SeccompProfile) - (*in).DeepCopyInto(*out) - } if in.StartupProbe != nil { in, out := &in.StartupProbe, &out.StartupProbe *out = new(StartupProbe) @@ -5713,11 +5622,6 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { *out = new(ResourceQuotas) (*in).DeepCopyInto(*out) } - if in.PeerCaCrl != nil { - in, out := &in.PeerCaCrl, &out.PeerCaCrl - *out = new(PeerCaCrlConfig) - (*in).DeepCopyInto(*out) - } if in.NodeSelector != nil { in, out := &in.NodeSelector, &out.NodeSelector *out = make(map[string]string, len(*in)) @@ -5792,16 +5696,6 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { *out = new(appsv1.DaemonSetUpdateStrategy) (*in).DeepCopyInto(*out) } - if in.DNSPolicy != nil { - in, out := &in.DNSPolicy, &out.DNSPolicy - *out = new(corev1.DNSPolicy) - **out = **in - } - if in.DNSConfig != nil { - in, out := &in.DNSConfig, &out.DNSConfig - *out = new(corev1.PodDNSConfig) - (*in).DeepCopyInto(*out) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelConfig. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/bundle/README.md b/vendor/github.com/istio-ecosystem/sail-operator/bundle/README.md index e565f4ebc2..36863319f5 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/bundle/README.md +++ b/vendor/github.com/istio-ecosystem/sail-operator/bundle/README.md @@ -151,7 +151,7 @@ Alternatively, refer to [Istio's artifacthub chart documentation](https://artifa The `istioctl` tool is a configuration command line utility that allows service operators to debug and diagnose Istio service mesh deployments. -For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.adoc). +For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md). ## Installing the Bookinfo Application @@ -159,7 +159,7 @@ You can use the `bookinfo` example application to explore service mesh features. Using the `bookinfo` application, you can easily confirm that requests from a web browser pass through the mesh and reach the application. -For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.adoc). +For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md). ## Creating and Configuring Gateways @@ -171,7 +171,7 @@ contains the control plane. You can deploy gateways using either the Gateway API or Gateway Injection methods. -For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.adoc). +For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md). ## Istio Addons Integrations @@ -181,7 +181,7 @@ Istio can be integrated with other software to provide additional functionality The following addons are for demonstration or development purposes only and should not be used in production environments: -For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.adoc). +For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md). ## Undeploying Istio and the Sail Operator diff --git a/vendor/github.com/istio-ecosystem/sail-operator/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml b/vendor/github.com/istio-ecosystem/sail-operator/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml index 2ac19e8d80..f47883eb44 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml @@ -16,7 +16,7 @@ metadata: "inactiveRevisionDeletionGracePeriodSeconds": 30, "type": "InPlace" }, - "version": "v1.29.0" + "version": "v1.28.5" } }, { @@ -27,7 +27,7 @@ metadata: }, "spec": { "namespace": "istio-cni", - "version": "v1.29.0" + "version": "v1.28.5" } }, { @@ -38,14 +38,14 @@ metadata: }, "spec": { "namespace": "ztunnel", - "version": "v1.29.0" + "version": "v1.27.3" } } ] capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security - containerImage: quay.io/sail-dev/sail-operator:3.0-latest - createdAt: "2026-03-09T06:22:23Z" + containerImage: ${OSSM_OPERATOR_3_3} + createdAt: "2026-03-23T11:07:05Z" description: The OpenShift Service Mesh Operator enables you to install, configure, and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service Mesh is based on the open source Istio project. features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -58,7 +58,7 @@ metadata: features.operators.openshift.io/token-auth-azure: "false" features.operators.openshift.io/token-auth-gcp: "false" operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift Platform Plus"]' - operators.operatorframework.io/builder: operator-sdk-v1.42.0 + operators.operatorframework.io/builder: operator-sdk-v1.41.1 operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]' operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/istio-ecosystem/sail-operator @@ -68,7 +68,7 @@ metadata: operatorframework.io/arch.arm64: supported operatorframework.io/arch.ppc64le: supported operatorframework.io/arch.s390x: supported - name: servicemeshoperator3.v3.0.1 + name: servicemeshoperator3.v3.3.1 namespace: placeholder spec: apiservicedefinitions: {} @@ -180,30 +180,24 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.29-latest - - urn:alm:descriptor:com.tectonic.ui:select:v1.29.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.5 - urn:alm:descriptor:com.tectonic.ui:select:v1.28.4 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.1 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.7 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.8 - urn:alm:descriptor:com.tectonic.ui:select:v1.27.5 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.4 - urn:alm:descriptor:com.tectonic.ui:select:v1.27.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.1 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.0 - - urn:alm:descriptor:com.tectonic.ui:select:master - - urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a22c3091 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.2 - description: Namespace to which the Istio CNI component should be installed. Note that this field is immutable. displayName: Namespace path: namespace @@ -241,26 +235,21 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.29.0, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, v1.30-alpha.a22c3091. + Must be one of: v1.28.5, v1.28.4, v1.27.8, v1.27.5, v1.27.3, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.29.0 + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.5 - urn:alm:descriptor:com.tectonic.ui:select:v1.28.4 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.1 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.7 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.8 - urn:alm:descriptor:com.tectonic.ui:select:v1.27.5 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.4 - urn:alm:descriptor:com.tectonic.ui:select:v1.27.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.1 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a22c3091 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.2 - description: Namespace to which the Istio components should be installed. displayName: Namespace path: namespace @@ -295,30 +284,24 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.29-latest - - urn:alm:descriptor:com.tectonic.ui:select:v1.29.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.5 - urn:alm:descriptor:com.tectonic.ui:select:v1.28.4 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.1 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.7 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.8 - urn:alm:descriptor:com.tectonic.ui:select:v1.27.5 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.4 - urn:alm:descriptor:com.tectonic.ui:select:v1.27.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.1 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.0 - - urn:alm:descriptor:com.tectonic.ui:select:master - - urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a22c3091 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.2 - description: |- Defines how many seconds the operator should wait before removing a non-active revision after all the workloads have stopped using it. You may want to set this value on the order of minutes. @@ -374,30 +357,24 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.29-latest - - urn:alm:descriptor:com.tectonic.ui:select:v1.29.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.5 - urn:alm:descriptor:com.tectonic.ui:select:v1.28.4 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.1 - - urn:alm:descriptor:com.tectonic.ui:select:v1.28.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.7 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.8 - urn:alm:descriptor:com.tectonic.ui:select:v1.27.5 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.4 - urn:alm:descriptor:com.tectonic.ui:select:v1.27.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.1 - - urn:alm:descriptor:com.tectonic.ui:select:v1.27.0 - - urn:alm:descriptor:com.tectonic.ui:select:master - - urn:alm:descriptor:com.tectonic.ui:select:v1.30-alpha.a22c3091 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.2 - description: Namespace to which the Istio ztunnel component should be installed. displayName: Namespace path: namespace @@ -466,26 +443,9 @@ spec: - apiGroups: - "" resources: - - configmaps - - endpoints - - events - - namespaces - - nodes - - persistentvolumeclaims - - pods - - replicationcontrollers - - resourcequotas - - secrets - - serviceaccounts - - services + - '*' verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - admissionregistration.k8s.io resources: @@ -494,13 +454,7 @@ spec: - validatingadmissionpolicybindings - validatingwebhookconfigurations verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - apiextensions.k8s.io resources: @@ -515,25 +469,13 @@ spec: - daemonsets - deployments verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - discovery.k8s.io resources: @@ -551,37 +493,19 @@ spec: resources: - network-attachment-definitions verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - networking.istio.io resources: - envoyfilters verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - sailoperator.io resources: @@ -717,13 +641,7 @@ spec: resources: - poddisruptionbudgets verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - rbac.authorization.k8s.io resources: @@ -731,16 +649,9 @@ spec: - clusterroles - rolebindings - roles + - serviceaccount verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - bind - - escalate + - '*' - apiGroups: - security.openshift.io resourceNames: @@ -798,11 +709,56 @@ spec: template: metadata: annotations: - images.v1_24_4.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9:1.24.4 - images.v1_24_4.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.24.4 - images.v1_24_4.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9:3.0.1 - images.v1_24_4.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9:1.24.4 - images.v1_24_4.ztunnel: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.24.4 + images.v1_26_2.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:14c5a52faf20267baa43d9a72ee6416f56fbc41dd640adc2aba3c4043802a0e9 + images.v1_26_2.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8 + images.v1_26_2.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:366266f10e658c4cea86bddf6ee847e1908ea4dd780cb5f7fb0e466bac8995f1 + images.v1_26_2.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe + images.v1_26_2.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:ecc6a22a471f4f4b836648f3a72ea7f57a4ea960ebcbc7dbe3fe729500902d0b + images.v1_26_3.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2ea112ab90b8540f11e9949d77c3e7e3b3ef57ac3bf23f6cf1e883a88430e1f9 + images.v1_26_3.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:33feac0c9c888b375e207e86b3f9a1a289126ca46b64632a7f693e2191cfbbfd + images.v1_26_3.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2ca96716812d339775d3dfd396c863834dd3810720e98bfcf87bc67c5fbd29b5 + images.v1_26_3.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:26747627ae22bbdffcf9de58077454fc0c890cda83659d7834b15dea2b5aaaf2 + images.v1_26_3.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:f7ab868455b5e887e2d89b7078678531290365f9166cae99ce56119f31fa2ba4 + images.v1_26_4.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:9536c5850961488b3e01e29140d9ace0cbaa1f4bd1c1860cb49d10bf0514a5bf + images.v1_26_4.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:02b82941a92c537233c4f60d9223da2e637b045189b8700dd7030bd9c1c352d5 + images.v1_26_4.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:cadc30c15a54d89de1992624a3641c7d5951dd292b668d026ab9d5e2f3878a77 + images.v1_26_4.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:b45ecae5a9240b40403c4e39c6a81ab66c8c7e8de194dc3e21b1336ff3a0fa38 + images.v1_26_4.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:950e9a2e8fef8740b4909957c2cced52d45abd66324fb056097f2d0782970573 + images.v1_26_6.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:be16b9a7e2693bf294c99d96ba4cf36e98629ebff2ce6f2ce946fd9ae1e9f2dc + images.v1_26_6.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:91229b8d6e932178ddddf0b4878114b65c0451755919996239d1fe6285b644e8 + images.v1_26_6.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:8a21e30593e51f2fd2e51d9ab1d0ed2fc43eaa9b98173d7fb74f799d6b2f163d + images.v1_26_6.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:47100186c27934adeda3002bb04cac28980ca8854eee7d6e4f4b3f85562e9a8e + images.v1_26_6.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:f39e2c28ef36fce9f808f3946cc4e4126047e142ad84cb18c222cecceae29730 + images.v1_26_8.cni: ${ISTIO_CNI_1_26} + images.v1_26_8.istiod: ${ISTIO_PILOT_1_26} + images.v1_26_8.must-gather: ${OSSM_MUST_GATHER_3_1} + images.v1_26_8.proxy: ${ISTIO_PROXY_1_26} + images.v1_26_8.ztunnel: ${ISTIO_ZTUNNEL_1_26} + images.v1_27_3.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:ddadd677161ad8c1077dd156821d6b4e32742ccbb210e9c14696fa66a58c0867 + images.v1_27_3.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:0850242436e88f7d82f0f2126de064c7e0f09844f31d8ff0f53dc8d3908075d9 + images.v1_27_3.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:742bc084c26769ff57cb3aa47b7a35c2b94684c3f67a9388da07a0490a942e5c + images.v1_27_3.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7d15cebf9b62f3f235c0eab5158ac8ff2fda86a1d193490dc94c301402c99da8 + images.v1_27_3.ztunnel: registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:b2b3216a05f6136ed9ddb71d72d493030c6d6b431682dddffa692c760b6c9ba1 + images.v1_27_5.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2929b7df3da8228a728945542647ec5450c0585a2ed5cbdb84f8e3d81ab41806 + images.v1_27_5.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:2e515a40de141bd4e516bfcf4fd0cbb8d236ac02799a7a35d77ae44f53916bc9 + images.v1_27_5.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:d1baba8cb454b62d804dc427d4ccfea928348631c384d1ab3d170e1e2a9d1178 + images.v1_27_5.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:650da1e2ad1cb93e6a0231dba7ca1f27f4cccac84e5925135281adc629a0caea + images.v1_27_5.ztunnel: registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:0ae2919cd446e0e1f0a21d0850e7809ba8f44c06d484c023b3bee2787ca4bdd0 + images.v1_27_8.cni: ${ISTIO_CNI_1_27} + images.v1_27_8.istiod: ${ISTIO_PILOT_1_27} + images.v1_27_8.must-gather: ${OSSM_MUST_GATHER_3_2} + images.v1_27_8.proxy: ${ISTIO_PROXY_1_27} + images.v1_27_8.ztunnel: ${ISTIO_ZTUNNEL_1_27} + images.v1_28_4.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:f8abbd0d6c7758cf2ccd49dba34921e3ac9b6e4cdbfed4e5fb38dc9a11d30a5d + images.v1_28_4.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:978f840ceda7eb00c6f15740bcd60e241bee732cd215e9de464ce431b0156ffa + images.v1_28_4.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:d57d23fc8ec4053a3d819ffb87532d6aec6b5874fdf22e22afdd7f0f0712df52 + images.v1_28_4.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:ba78d718627a0662f61ec633fdd2867ba5c24be6bdbc6df672d46456fb399dba + images.v1_28_4.ztunnel: registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:2d5a3154e7b6b8d7eadb851a86cc5b7ee556b923843e73ae56197e875c564b03 + images.v1_28_5.cni: ${ISTIO_CNI_1_28} + images.v1_28_5.istiod: ${ISTIO_PILOT_1_28} + images.v1_28_5.must-gather: ${OSSM_MUST_GATHER_3_3} + images.v1_28_5.proxy: ${ISTIO_PROXY_1_28} + images.v1_28_5.ztunnel: ${ISTIO_ZTUNNEL_1_28} kubectl.kubernetes.io/default-container: sail-operator labels: app.kubernetes.io/created-by: servicemeshoperator3 @@ -832,7 +788,7 @@ spec: - --zap-log-level=info command: - /sail-operator - image: quay.io/sail-dev/sail-operator:3.0-latest + image: ${OSSM_OPERATOR_3_3} livenessProbe: httpGet: path: /healthz @@ -932,4 +888,4 @@ spec: maturity: alpha provider: name: Red Hat, Inc. - version: 3.0.1 + version: 3.3.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml index db1f194794..eeeb5b0598 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml @@ -362,7 +362,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -745,7 +745,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -1294,7 +1294,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -1668,7 +1668,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -2363,7 +2363,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -2746,7 +2746,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -3295,7 +3295,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -3669,7 +3669,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -4364,7 +4364,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -4747,7 +4747,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -5296,7 +5296,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: @@ -5670,7 +5670,7 @@ spec: description: This parameter controls the speed of traffic increase over the warmup duration. format: double - minimum: 0 + minimum: 1 nullable: true type: number duration: diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml index 6f0e329bbf..b976f41da6 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml @@ -63,16 +63,12 @@ spec: - routeConfiguration - required: - cluster - - required: - - waypoint - required: - listener - required: - routeConfiguration - required: - cluster - - required: - - waypoint properties: cluster: description: Match on envoy cluster attributes. @@ -98,13 +94,12 @@ spec: description: |- The specific config generation context to match on. - Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY, WAYPOINT + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY enum: - ANY - SIDECAR_INBOUND - SIDECAR_OUTBOUND - GATEWAY - - WAYPOINT type: string listener: description: Match on envoy listener attributes. @@ -234,46 +229,7 @@ spec: type: object type: object type: object - waypoint: - properties: - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this filter - to match on. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - portNumber: - description: The service port to match on. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 6553 - route: - description: Match a specific route. - properties: - name: - description: The Route objects generated by default - are named as default. - type: string - type: object - type: object type: object - x-kubernetes-validations: - - message: only support waypointMatch when context is WAYPOINT - rule: 'has(self.context) ? ((self.context == "WAYPOINT") ? - has(self.waypoint) : !has(self.waypoint)) : !has(self.waypoint)' patch: description: The patch to apply along with the operation. properties: diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml index 8d26d69d2d..c8abbbd387 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml @@ -177,7 +177,7 @@ spec: properties: bytes: description: response body as base64 encoded bytes. - format: byte + format: binary type: string string: type: string @@ -1229,7 +1229,7 @@ spec: properties: bytes: description: response body as base64 encoded bytes. - format: byte + format: binary type: string string: type: string @@ -2281,7 +2281,7 @@ spec: properties: bytes: description: response body as base64 encoded bytes. - format: byte + format: binary type: string string: type: string diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml index a5e491c878..0d53b3feee 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.19.0 name: istiocnis.sailoperator.io spec: group: sailoperator.io @@ -66,7 +66,7 @@ spec: spec: default: namespace: istio-cni - version: v1.29.0 + version: v1.28.5 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -1463,66 +1463,24 @@ spec: type: object type: object version: - default: v1.29.0 + default: v1.28.5 description: |- Defines the version of Istio to install. - Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. enum: - - v1.29-latest - - v1.29.0 - v1.28-latest + - v1.28.5 - v1.28.4 - - v1.28.3 - - v1.28.2 - - v1.28.1 - - v1.28.0 - v1.27-latest - - v1.27.7 - - v1.27.6 + - v1.27.8 - v1.27.5 - - v1.27.4 - v1.27.3 - - v1.27.2 - - v1.27.1 - - v1.27.0 - v1.26-latest - v1.26.8 - - v1.26.7 - v1.26.6 - - v1.26.5 - v1.26.4 - v1.26.3 - v1.26.2 - - v1.26.1 - - v1.26.0 - - v1.25-latest - - v1.25.5 - - v1.25.4 - - v1.25.3 - - v1.25.2 - - v1.25.1 - - v1.24-latest - - v1.24.6 - - v1.24.5 - - v1.24.4 - - v1.24.3 - - v1.24.2 - - v1.24.1 - - v1.24.0 - - v1.23-latest - - v1.23.6 - - v1.23.5 - - v1.23.4 - - v1.23.3 - - v1.23.2 - - v1.22-latest - - v1.22.8 - - v1.22.7 - - v1.22.6 - - v1.22.5 - - v1.21.6 - - master - - v1.30-alpha.a22c3091 type: string required: - namespace diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml index ce610a7aa4..c3a682964f 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.19.0 name: istiorevisions.sailoperator.io spec: group: sailoperator.io @@ -121,12 +121,6 @@ spec: global: description: Global configuration for Istio components. properties: - agentgateway: - description: Specifies how proxies are configured within Istio. - properties: - image: - type: string - type: object arch: description: "Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:\n\n\t0 - Never scheduled\n\t1 @@ -288,10 +282,9 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -1001,31 +994,6 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object - seccompProfile: - description: |- - Configures the seccomp profile for the istio-validation and istio-proxy containers. - - See: https://kubernetes.io/docs/tutorials/security/seccomp/ - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object startupProbe: description: Configures the startup probe for the istio-proxy container. @@ -2358,10 +2326,9 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -3269,20 +3236,6 @@ spec: items: type: string type: array - fileFlushInterval: - description: |- - File flush interval for envoy flushes buffers to disk in milliseconds. - The duration needs to be set to a value greater than or equal to 1 millisecond. - Default is 1000ms. - Optional. - type: string - fileFlushMinSizeKb: - description: |- - File flush buffer size for envoy flushes buffers to disk in kilobytes. - Defaults to 64. - Optional. - format: int32 - type: integer gatewayTopology: description: |- Topology encapsulates the configuration which describes where the proxy is @@ -3817,12 +3770,6 @@ spec: Increase the value of this field if you find that the metrics from Envoys are truncated. format: int32 type: integer - statsCompression: - description: |- - Offer HTTP compression for stats - Defaults to true. - Optional. - type: boolean statsdUdpAddress: description: IP Address and Port of a statsd UDP listener (e.g. `10.75.241.127:9125`). @@ -5235,32 +5182,6 @@ spec: Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com". type: string - serviceAttributeEnrichment: - description: |- - Optional. Controls how service resource attributes are enriched in - exported trace spans. When set to `OTEL_SEMANTIC_CONVENTIONS`, the - service attributes (`service.name`, `service.namespace`, - `service.version`, `service.instance.id`) will be populated following - the OpenTelemetry semantic conventions for Kubernetes: - https://opentelemetry.io/docs/specs/semconv/non-normative/k8s-attributes/#service-attributes - - When not set or set to `ISTIO_CANONICAL`, Istio's default enrichment - logic is used (controlled by `TracingServiceName` in `ProxyConfig`). - - Example: - ```yaml - extensionProviders: - - name: otel-tracing - opentelemetry: - port: 443 - service: my.olly-backend.com - serviceAttributeEnrichment: OTEL_SEMANTIC_CONVENTIONS - - ``` - enum: - - ISTIO_CANONICAL - - OTEL_SEMANTIC_CONVENTIONS - type: string required: - port - service @@ -5391,35 +5312,6 @@ spec: Optional. A 128 bit trace id will be used in Istio. If true, will result in a 64 bit trace id being used. type: boolean - headers: - description: |- - Optional. Additional HTTP headers to include in the request to the Zipkin collector. - These headers will be added to the HTTP request when sending spans to the collector. - items: - properties: - envName: - description: |- - The HTTP header value from the environment variable. - - Warning: - - The environment variable must be set in the istiod pod spec. - - This is not a end-to-end secure. - type: string - name: - description: REQUIRED. The HTTP header name. - type: string - value: - description: The HTTP header value. - type: string - required: - - name - type: object - x-kubernetes-validations: - - message: At most one of [value envName] should - be set - rule: (has(self.value)?1:0) + (has(self.envName)?1:0) - <= 1 - type: array maxTagLength: description: |- Optional. Controls the overall path length allowed in a reported span. @@ -5445,11 +5337,6 @@ spec: Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com". type: string - timeout: - description: |- - Optional. The timeout for the HTTP request to the Zipkin collector. - If not specified, the default timeout from Envoy's configuration will be used (which is 5 seconds currently). - type: string traceContextOption: description: |- Optional. Determines which trace context format to use for trace header extraction and propagation. @@ -5491,16 +5378,6 @@ spec: - DO_NOT_UPGRADE - UPGRADE type: string - hboneIdleTimeout: - description: |- - Idle timeout configured on Envoy proxies for their connection pools to ztunnel via HBONE. - This controls how long Envoy will keep idle connections to ztunnel before closing them. - Note: This setting is applied only on the Envoy proxy side; ztunnel does not use it. - Default timeout is 1 hour (3600s). - For environments with aggressive IP address reuse, it is recommended to set - this to a value less than the CNI IP cooldown period to prevent stale connection reuse. - For example, if your CNI has a 30s cooldown period, setting this to 15s is recommended. - type: string inboundClusterStatName: description: |- Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for @@ -6075,6 +5952,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -7157,8 +7035,8 @@ spec: and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi. - This is an beta field and requires the HPAConfigurableTolerance feature - gate to be enabled. + This is an alpha field and requires enabling the HPAConfigurableTolerance + feature gate. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -7232,8 +7110,8 @@ spec: and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi. - This is an beta field and requires the HPAConfigurableTolerance feature - gate to be enabled. + This is an alpha field and requires enabling the HPAConfigurableTolerance + feature gate. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -7288,10 +7166,6 @@ spec: format: int32 type: integer type: object - crlConfigMapName: - description: Select a custom name for istiod's plugged-in - CA CRL ConfigMap. - type: string deploymentLabels: additionalProperties: type: string @@ -7754,10 +7628,9 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -8624,7 +8497,7 @@ spec: resources: description: |- resources represents the minimum resources the volume should have. - Users are allowed to specify resource requirements + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources @@ -9510,24 +9383,6 @@ spec: description: Kubelet's generated CSRs will be addressed to this signer. type: string - userAnnotations: - additionalProperties: - type: string - description: |- - userAnnotations allow pod authors to pass additional information to - the signer implementation. Kubernetes does not restrict or validate this - metadata in any way. - - These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of - the PodCertificateRequest objects that Kubelet creates. - - Entries are subject to the same validation as object metadata annotations, - with the addition that all keys must be domain-prefixed. No restrictions - are placed on values, except an overall size limitation on the entire field. - - Signers should document the keys and values they support. Signers should - deny requests that contain keys they do not recognize. - type: object required: - keyType - signerName @@ -10147,54 +10002,18 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.29.0, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, v1.30-alpha.a22c3091. + Must be one of: v1.28.5, v1.28.4, v1.27.8, v1.27.5, v1.27.3, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. enum: - - v1.29.0 + - v1.28.5 - v1.28.4 - - v1.28.3 - - v1.28.2 - - v1.28.1 - - v1.28.0 - - v1.27.7 - - v1.27.6 + - v1.27.8 - v1.27.5 - - v1.27.4 - v1.27.3 - - v1.27.2 - - v1.27.1 - - v1.27.0 - v1.26.8 - - v1.26.7 - v1.26.6 - - v1.26.5 - v1.26.4 - v1.26.3 - v1.26.2 - - v1.26.1 - - v1.26.0 - - v1.25.5 - - v1.25.4 - - v1.25.3 - - v1.25.2 - - v1.25.1 - - v1.24.6 - - v1.24.5 - - v1.24.4 - - v1.24.3 - - v1.24.2 - - v1.24.1 - - v1.24.0 - - v1.23.6 - - v1.23.5 - - v1.23.4 - - v1.23.3 - - v1.23.2 - - v1.22.8 - - v1.22.7 - - v1.22.6 - - v1.22.5 - - v1.21.6 - - v1.30-alpha.a22c3091 type: string required: - namespace diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml index cf88d2b0dd..4ef72dd74f 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.19.0 name: istiorevisiontags.sailoperator.io spec: group: sailoperator.io diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml index e5a97b81b3..d871547ebe 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.19.0 name: istios.sailoperator.io spec: group: sailoperator.io @@ -88,7 +88,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.29.0 + version: v1.28.5 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -194,12 +194,6 @@ spec: global: description: Global configuration for Istio components. properties: - agentgateway: - description: Specifies how proxies are configured within Istio. - properties: - image: - type: string - type: object arch: description: "Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:\n\n\t0 - Never scheduled\n\t1 @@ -361,10 +355,9 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -1074,31 +1067,6 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object - seccompProfile: - description: |- - Configures the seccomp profile for the istio-validation and istio-proxy containers. - - See: https://kubernetes.io/docs/tutorials/security/seccomp/ - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object startupProbe: description: Configures the startup probe for the istio-proxy container. @@ -2431,10 +2399,9 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -3342,20 +3309,6 @@ spec: items: type: string type: array - fileFlushInterval: - description: |- - File flush interval for envoy flushes buffers to disk in milliseconds. - The duration needs to be set to a value greater than or equal to 1 millisecond. - Default is 1000ms. - Optional. - type: string - fileFlushMinSizeKb: - description: |- - File flush buffer size for envoy flushes buffers to disk in kilobytes. - Defaults to 64. - Optional. - format: int32 - type: integer gatewayTopology: description: |- Topology encapsulates the configuration which describes where the proxy is @@ -3890,12 +3843,6 @@ spec: Increase the value of this field if you find that the metrics from Envoys are truncated. format: int32 type: integer - statsCompression: - description: |- - Offer HTTP compression for stats - Defaults to true. - Optional. - type: boolean statsdUdpAddress: description: IP Address and Port of a statsd UDP listener (e.g. `10.75.241.127:9125`). @@ -5308,32 +5255,6 @@ spec: Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com". type: string - serviceAttributeEnrichment: - description: |- - Optional. Controls how service resource attributes are enriched in - exported trace spans. When set to `OTEL_SEMANTIC_CONVENTIONS`, the - service attributes (`service.name`, `service.namespace`, - `service.version`, `service.instance.id`) will be populated following - the OpenTelemetry semantic conventions for Kubernetes: - https://opentelemetry.io/docs/specs/semconv/non-normative/k8s-attributes/#service-attributes - - When not set or set to `ISTIO_CANONICAL`, Istio's default enrichment - logic is used (controlled by `TracingServiceName` in `ProxyConfig`). - - Example: - ```yaml - extensionProviders: - - name: otel-tracing - opentelemetry: - port: 443 - service: my.olly-backend.com - serviceAttributeEnrichment: OTEL_SEMANTIC_CONVENTIONS - - ``` - enum: - - ISTIO_CANONICAL - - OTEL_SEMANTIC_CONVENTIONS - type: string required: - port - service @@ -5464,35 +5385,6 @@ spec: Optional. A 128 bit trace id will be used in Istio. If true, will result in a 64 bit trace id being used. type: boolean - headers: - description: |- - Optional. Additional HTTP headers to include in the request to the Zipkin collector. - These headers will be added to the HTTP request when sending spans to the collector. - items: - properties: - envName: - description: |- - The HTTP header value from the environment variable. - - Warning: - - The environment variable must be set in the istiod pod spec. - - This is not a end-to-end secure. - type: string - name: - description: REQUIRED. The HTTP header name. - type: string - value: - description: The HTTP header value. - type: string - required: - - name - type: object - x-kubernetes-validations: - - message: At most one of [value envName] should - be set - rule: (has(self.value)?1:0) + (has(self.envName)?1:0) - <= 1 - type: array maxTagLength: description: |- Optional. Controls the overall path length allowed in a reported span. @@ -5518,11 +5410,6 @@ spec: Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com". type: string - timeout: - description: |- - Optional. The timeout for the HTTP request to the Zipkin collector. - If not specified, the default timeout from Envoy's configuration will be used (which is 5 seconds currently). - type: string traceContextOption: description: |- Optional. Determines which trace context format to use for trace header extraction and propagation. @@ -5564,16 +5451,6 @@ spec: - DO_NOT_UPGRADE - UPGRADE type: string - hboneIdleTimeout: - description: |- - Idle timeout configured on Envoy proxies for their connection pools to ztunnel via HBONE. - This controls how long Envoy will keep idle connections to ztunnel before closing them. - Note: This setting is applied only on the Envoy proxy side; ztunnel does not use it. - Default timeout is 1 hour (3600s). - For environments with aggressive IP address reuse, it is recommended to set - this to a value less than the CNI IP cooldown period to prevent stale connection reuse. - For example, if your CNI has a 30s cooldown period, setting this to 15s is recommended. - type: string inboundClusterStatName: description: |- Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for @@ -6148,6 +6025,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -7230,8 +7108,8 @@ spec: and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi. - This is an beta field and requires the HPAConfigurableTolerance feature - gate to be enabled. + This is an alpha field and requires enabling the HPAConfigurableTolerance + feature gate. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -7305,8 +7183,8 @@ spec: and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi. - This is an beta field and requires the HPAConfigurableTolerance feature - gate to be enabled. + This is an alpha field and requires enabling the HPAConfigurableTolerance + feature gate. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -7361,10 +7239,6 @@ spec: format: int32 type: integer type: object - crlConfigMapName: - description: Select a custom name for istiod's plugged-in - CA CRL ConfigMap. - type: string deploymentLabels: additionalProperties: type: string @@ -7827,10 +7701,9 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -8697,7 +8570,7 @@ spec: resources: description: |- resources represents the minimum resources the volume should have. - Users are allowed to specify resource requirements + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources @@ -9583,24 +9456,6 @@ spec: description: Kubelet's generated CSRs will be addressed to this signer. type: string - userAnnotations: - additionalProperties: - type: string - description: |- - userAnnotations allow pod authors to pass additional information to - the signer implementation. Kubernetes does not restrict or validate this - metadata in any way. - - These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of - the PodCertificateRequest objects that Kubelet creates. - - Entries are subject to the same validation as object metadata annotations, - with the addition that all keys must be domain-prefixed. No restrictions - are placed on values, except an overall size limitation on the entire field. - - Signers should document the keys and values they support. Signers should - deny requests that contain keys they do not recognize. - type: object required: - keyType - signerName @@ -10218,66 +10073,24 @@ spec: type: object type: object version: - default: v1.29.0 + default: v1.28.5 description: |- Defines the version of Istio to install. - Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. enum: - - v1.29-latest - - v1.29.0 - v1.28-latest + - v1.28.5 - v1.28.4 - - v1.28.3 - - v1.28.2 - - v1.28.1 - - v1.28.0 - v1.27-latest - - v1.27.7 - - v1.27.6 + - v1.27.8 - v1.27.5 - - v1.27.4 - v1.27.3 - - v1.27.2 - - v1.27.1 - - v1.27.0 - v1.26-latest - v1.26.8 - - v1.26.7 - v1.26.6 - - v1.26.5 - v1.26.4 - v1.26.3 - v1.26.2 - - v1.26.1 - - v1.26.0 - - v1.25-latest - - v1.25.5 - - v1.25.4 - - v1.25.3 - - v1.25.2 - - v1.25.1 - - v1.24-latest - - v1.24.6 - - v1.24.5 - - v1.24.4 - - v1.24.3 - - v1.24.2 - - v1.24.1 - - v1.24.0 - - v1.23-latest - - v1.23.6 - - v1.23.5 - - v1.23.4 - - v1.23.3 - - v1.23.2 - - v1.22-latest - - v1.22.8 - - v1.22.7 - - v1.22.6 - - v1.22.5 - - v1.21.6 - - master - - v1.30-alpha.a22c3091 type: string required: - namespace diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml index 2686ffad60..f624c9a08a 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.20.1 + controller-gen.kubebuilder.io/version: v0.19.0 name: ztunnels.sailoperator.io spec: group: sailoperator.io @@ -62,7 +62,7 @@ spec: spec: default: namespace: ztunnel - version: v1.29.0 + version: v1.28.5 description: ZTunnelSpec defines the desired state of ZTunnel properties: namespace: @@ -1135,62 +1135,6 @@ spec: caAddress: description: The address of the CA for CSR. type: string - dnsConfig: - description: |- - DNS config for the ztunnel pod - https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config - properties: - nameservers: - description: |- - A list of DNS name server IP addresses. - This will be appended to the base nameservers generated from DNSPolicy. - Duplicated nameservers will be removed. - items: - type: string - type: array - x-kubernetes-list-type: atomic - options: - description: |- - A list of DNS resolver options. - This will be merged with the base options generated from DNSPolicy. - Duplicated entries will be removed. Resolution options given in Options - will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver - options of a pod. - properties: - name: - description: |- - Name is this DNS resolver option's name. - Required. - type: string - value: - description: Value is this DNS resolver option's - value. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - searches: - description: |- - A list of DNS search domains for host-name lookup. - This will be appended to the base search paths generated from DNSPolicy. - Duplicated search paths will be removed. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - dnsPolicy: - description: |- - DNS policy for the ztunnel pod - More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - enum: - - ClusterFirstWithHostNet - - ClusterFirst - - Default - - None - type: string env: additionalProperties: type: string @@ -1281,16 +1225,6 @@ spec: See https://kubernetes.io/docs/user-guide/node-selection/ type: object - peerCaCrl: - description: |- - Certificate Revocation List (CRL) support for plugged-in CAs. - When enabled, ztunnel will check certificates against the CRL - properties: - enabled: - description: When enabled, ztunnel will check certificates - against the CRL - type: boolean - type: object podAnnotations: additionalProperties: type: string @@ -1437,10 +1371,9 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -2177,7 +2110,7 @@ spec: resources: description: |- resources represents the minimum resources the volume should have. - Users are allowed to specify resource requirements + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources @@ -3063,24 +2996,6 @@ spec: description: Kubelet's generated CSRs will be addressed to this signer. type: string - userAnnotations: - additionalProperties: - type: string - description: |- - userAnnotations allow pod authors to pass additional information to - the signer implementation. Kubernetes does not restrict or validate this - metadata in any way. - - These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of - the PodCertificateRequest objects that Kubelet creates. - - Entries are subject to the same validation as object metadata annotations, - with the addition that all keys must be domain-prefixed. No restrictions - are placed on values, except an overall size limitation on the entire field. - - Signers should document the keys and values they support. Signers should - deny requests that contain keys they do not recognize. - type: object required: - keyType - signerName @@ -3509,54 +3424,24 @@ spec: type: object type: object version: - default: v1.29.0 + default: v1.28.5 description: |- Defines the version of Istio to install. - Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. enum: - - v1.29-latest - - v1.29.0 - v1.28-latest + - v1.28.5 - v1.28.4 - - v1.28.3 - - v1.28.2 - - v1.28.1 - - v1.28.0 - v1.27-latest - - v1.27.7 - - v1.27.6 + - v1.27.8 - v1.27.5 - - v1.27.4 - v1.27.3 - - v1.27.2 - - v1.27.1 - - v1.27.0 - v1.26-latest - v1.26.8 - - v1.26.7 - v1.26.6 - - v1.26.5 - v1.26.4 - v1.26.3 - v1.26.2 - - v1.26.1 - - v1.26.0 - - v1.25-latest - - v1.25.5 - - v1.25.4 - - v1.25.3 - - v1.25.2 - - v1.25.1 - - v1.24-latest - - v1.24.6 - - v1.24.5 - - v1.24.4 - - v1.24.3 - - v1.24.2 - - v1.24.1 - - v1.24.0 - - master - - v1.30-alpha.a22c3091 type: string required: - namespace @@ -3666,7 +3551,7 @@ spec: default: namespace: ztunnel profile: ambient - version: v1.29.0 + version: v1.28.5 description: ZTunnelSpec defines the desired state of ZTunnel properties: namespace: @@ -4757,62 +4642,6 @@ spec: caAddress: description: The address of the CA for CSR. type: string - dnsConfig: - description: |- - DNS config for the ztunnel pod - https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config - properties: - nameservers: - description: |- - A list of DNS name server IP addresses. - This will be appended to the base nameservers generated from DNSPolicy. - Duplicated nameservers will be removed. - items: - type: string - type: array - x-kubernetes-list-type: atomic - options: - description: |- - A list of DNS resolver options. - This will be merged with the base options generated from DNSPolicy. - Duplicated entries will be removed. Resolution options given in Options - will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver - options of a pod. - properties: - name: - description: |- - Name is this DNS resolver option's name. - Required. - type: string - value: - description: Value is this DNS resolver option's - value. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - searches: - description: |- - A list of DNS search domains for host-name lookup. - This will be appended to the base search paths generated from DNSPolicy. - Duplicated search paths will be removed. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - dnsPolicy: - description: |- - DNS policy for the ztunnel pod - More info: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - enum: - - ClusterFirstWithHostNet - - ClusterFirst - - Default - - None - type: string env: additionalProperties: type: string @@ -4903,16 +4732,6 @@ spec: See https://kubernetes.io/docs/user-guide/node-selection/ type: object - peerCaCrl: - description: |- - Certificate Revocation List (CRL) support for plugged-in CAs. - When enabled, ztunnel will check certificates against the CRL - properties: - enabled: - description: When enabled, ztunnel will check certificates - against the CRL - type: boolean - type: object podAnnotations: additionalProperties: type: string @@ -5059,10 +4878,9 @@ spec: operator: description: |- Operator represents a key's relationship to the value. - Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. + Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators). type: string tolerationSeconds: description: |- @@ -5799,7 +5617,7 @@ spec: resources: description: |- resources represents the minimum resources the volume should have. - Users are allowed to specify resource requirements + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources @@ -6685,24 +6503,6 @@ spec: description: Kubelet's generated CSRs will be addressed to this signer. type: string - userAnnotations: - additionalProperties: - type: string - description: |- - userAnnotations allow pod authors to pass additional information to - the signer implementation. Kubernetes does not restrict or validate this - metadata in any way. - - These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of - the PodCertificateRequest objects that Kubelet creates. - - Entries are subject to the same validation as object metadata annotations, - with the addition that all keys must be domain-prefixed. No restrictions - are placed on values, except an overall size limitation on the entire field. - - Signers should document the keys and values they support. Signers should - deny requests that contain keys they do not recognize. - type: object required: - keyType - signerName @@ -7131,54 +6931,24 @@ spec: type: object type: object version: - default: v1.29.0 + default: v1.28.5 description: |- Defines the version of Istio to install. - Must be one of: v1.29-latest, v1.29.0, v1.28-latest, v1.28.4, v1.28.3, v1.28.2, v1.28.1, v1.28.0, v1.27-latest, v1.27.7, v1.27.6, v1.27.5, v1.27.4, v1.27.3, v1.27.2, v1.27.1, v1.27.0, master, v1.30-alpha.a22c3091. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. enum: - - v1.29-latest - - v1.29.0 - v1.28-latest + - v1.28.5 - v1.28.4 - - v1.28.3 - - v1.28.2 - - v1.28.1 - - v1.28.0 - v1.27-latest - - v1.27.7 - - v1.27.6 + - v1.27.8 - v1.27.5 - - v1.27.4 - v1.27.3 - - v1.27.2 - - v1.27.1 - - v1.27.0 - v1.26-latest - v1.26.8 - - v1.26.7 - v1.26.6 - - v1.26.5 - v1.26.4 - v1.26.3 - v1.26.2 - - v1.26.1 - - v1.26.0 - - v1.25-latest - - v1.25.5 - - v1.25.4 - - v1.25.3 - - v1.25.2 - - v1.25.1 - - v1.24-latest - - v1.24.6 - - v1.24.5 - - v1.24.4 - - v1.24.3 - - v1.24.2 - - v1.24.1 - - v1.24.0 - - master - - v1.30-alpha.a22c3091 type: string required: - namespace diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml index 618ca3c8a3..bacf4ecd54 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml @@ -288,16 +288,12 @@ spec: - environment - required: - header - - required: - - formatter - required: - literal - required: - environment - required: - header - - required: - - formatter properties: environment: description: Environment adds the value of an environment @@ -314,18 +310,6 @@ spec: required: - name type: object - formatter: - description: Formatter adds the value of access logging - substitution formatter. - properties: - value: - description: The formatter tag value to use, same - formatter as HTTP access logging (e.g. - minLength: 1 - type: string - required: - - value - type: object header: description: RequestHeader adds the value of an header from the request to each span. @@ -355,12 +339,6 @@ spec: type: object description: Optional. type: object - disableContextPropagation: - description: Controls whether trace context headers (e.g., `traceparent`/`tracestate` - for W3C, `X-B3-*` for Zipkin) are propagated in forwarded - requests. - nullable: true - type: boolean disableSpanReporting: description: Controls span reporting. nullable: true @@ -758,16 +736,12 @@ spec: - environment - required: - header - - required: - - formatter - required: - literal - required: - environment - required: - header - - required: - - formatter properties: environment: description: Environment adds the value of an environment @@ -784,18 +758,6 @@ spec: required: - name type: object - formatter: - description: Formatter adds the value of access logging - substitution formatter. - properties: - value: - description: The formatter tag value to use, same - formatter as HTTP access logging (e.g. - minLength: 1 - type: string - required: - - value - type: object header: description: RequestHeader adds the value of an header from the request to each span. @@ -825,12 +787,6 @@ spec: type: object description: Optional. type: object - disableContextPropagation: - description: Controls whether trace context headers (e.g., `traceparent`/`tracestate` - for W3C, `X-B3-*` for Zipkin) are propagated in forwarded - requests. - nullable: true - type: boolean disableSpanReporting: description: Controls span reporting. nullable: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go index 846a0d26dc..161b7bf563 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go @@ -57,8 +57,8 @@ func ApplyFipsValues(values helm.Values) (helm.Values, error) { // ApplyZTunnelFipsValues sets value ztunnel.env.TLS12_ENABLED if FIPS mode is enabled in the system. func ApplyZTunnelFipsValues(values helm.Values) (helm.Values, error) { if FipsEnabled { - if err := values.SetIfAbsent("ztunnel.env.TLS12_ENABLED", "true"); err != nil { - return nil, fmt.Errorf("failed to set ztunnel.env.TLS12_ENABLED: %w", err) + if err := values.SetIfAbsent("env.TLS12_ENABLED", "true"); err != nil { + return nil, fmt.Errorf("failed to set env.TLS12_ENABLED: %w", err) } } return values, nil diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go index 531efb98ba..b88f0bac77 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go @@ -35,6 +35,10 @@ func init() { vendorDefaults = MustParseVendorDefaultsYAML(vendorDefaultsYAML) } +func SetVendorDefaults(defaults map[string]map[string]any) { + vendorDefaults = defaults +} + func MustParseVendorDefaultsYAML(defaultsYAML []byte) map[string]map[string]any { var parsedDefaults map[string]map[string]any err := yaml.Unmarshal(defaultsYAML, &parsedDefaults) diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml index 49f50e6bc0..d74da33d58 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml @@ -1,8 +1,8 @@ # This file can be overwritten in vendor distributions of sail-operator to set # vendor-specific defaults. You can configure version-specific defaults for -# every field in `spec.values` for both Istio and IstioCNI resource, +# every field in `spec.values` for both Istio and IstioCNI resource, # see the following example: -# +# # v1.26.0: # istio: # pilot: @@ -15,3 +15,48 @@ # These defaults are type-checked at compile time. # Note: After modifying this file, run `make test` to ensure that the # generated defaults values from this files are valid. +v1.26.2: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.26.3: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.26.4: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.26.6: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.26.8: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.27.0: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.27.3: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.27.5: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.28.3: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.ossm.yaml b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.ossm.yaml new file mode 100644 index 0000000000..25d59521ac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.ossm.yaml @@ -0,0 +1,119 @@ +# This file defines all the Istio versions supported by this operator. + +# The list of versions to support. Each item specifies the name of the version, +# the Git repository and commit hash for retrieving the profiles, and +# a list of URLs for retrieving the charts. +# The first item in the list is the default version. +# +# IMPORTANT: in addition to the versions specified here, the versions of the +# istio.io/istio and istio.io/api dependencies defined in go.mod must also be +# updated to match the most recent version specified here. The versions in +# go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision), +# as well as all the Istio CRDs (e.g. VirtualService). +versions: + - name: v1.28-latest + ref: v1.28.5 + - name: v1.28.5 + version: 1.28.5 + repo: https://github.com/istio/istio + commit: 1.28.5 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/base-1.28.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/istiod-1.28.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/gateway-1.28.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/cni-1.28.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/ztunnel-1.28.5.tgz + - name: v1.28.4 + version: 1.28.4 + repo: https://github.com/istio/istio + commit: 1.28.4 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/base-1.28.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/istiod-1.28.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/gateway-1.28.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/cni-1.28.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/ztunnel-1.28.4.tgz + - name: v1.27-latest + ref: v1.27.8 + - name: v1.27.8 + version: 1.27.8 + repo: https://github.com/istio/istio + commit: 1.27.8 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/base-1.27.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/istiod-1.27.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/gateway-1.27.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/cni-1.27.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/ztunnel-1.27.8.tgz + - name: v1.27.5 + version: 1.27.5 + repo: https://github.com/istio/istio + commit: 1.27.5 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/base-1.27.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/istiod-1.27.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/gateway-1.27.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/cni-1.27.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/ztunnel-1.27.5.tgz + - name: v1.27.3 + version: 1.27.3 + repo: https://github.com/istio/istio + commit: 1.27.3 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/base-1.27.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/istiod-1.27.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/gateway-1.27.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/cni-1.27.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/ztunnel-1.27.3.tgz + - name: v1.26-latest + ref: v1.26.8 + - name: v1.26.8 + version: 1.26.8 + repo: https://github.com/istio/istio + commit: 1.26.8 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/base-1.26.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/istiod-1.26.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/gateway-1.26.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/cni-1.26.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/ztunnel-1.26.8.tgz + - name: v1.26.6 + version: 1.26.6 + repo: https://github.com/istio/istio + commit: 1.26.6 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/base-1.26.6.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/istiod-1.26.6.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/gateway-1.26.6.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/cni-1.26.6.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/ztunnel-1.26.6.tgz + - name: v1.26.4 + version: 1.26.4 + repo: https://github.com/istio/istio + commit: 1.26.4 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/base-1.26.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/istiod-1.26.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/gateway-1.26.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/cni-1.26.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/ztunnel-1.26.4.tgz + - name: v1.26.3 + version: 1.26.3 + repo: https://github.com/istio/istio + commit: 1.26.3 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/base-1.26.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/istiod-1.26.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/gateway-1.26.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/cni-1.26.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/ztunnel-1.26.3.tgz + - name: v1.26.2 + version: 1.26.2 + repo: https://github.com/istio/istio + commit: 1.26.2 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/base-1.26.2.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/istiod-1.26.2.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/gateway-1.26.2.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/cni-1.26.2.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/ztunnel-1.26.2.tgz \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml index 8ae47f0b3e..1fb7220fb4 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml @@ -15,20 +15,18 @@ # required. They will stay valid input values for the spec.version field though, # to avoid breaking API guarantees. versions: - - name: v1.29-latest - ref: v1.29.0 - - name: v1.29.0 - version: 1.29.0 - repo: https://github.com/istio/istio - commit: 1.29.0 - charts: - - https://istio-release.storage.googleapis.com/charts/base-1.29.0.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-1.29.0.tgz - - https://istio-release.storage.googleapis.com/charts/gateway-1.29.0.tgz - - https://istio-release.storage.googleapis.com/charts/cni-1.29.0.tgz - - https://istio-release.storage.googleapis.com/charts/ztunnel-1.29.0.tgz - name: v1.28-latest - ref: v1.28.4 + ref: v1.28.5 + - name: v1.28.5 + version: 1.28.5 + repo: https://github.com/istio/istio + commit: 1.28.5 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.28.5.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.28.5.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.28.5.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.28.5.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.5.tgz - name: v1.28.4 version: 1.28.4 repo: https://github.com/istio/istio @@ -80,7 +78,17 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.28.0.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.0.tgz - name: v1.27-latest - ref: v1.27.7 + ref: v1.27.8 + - name: v1.27.8 + version: 1.27.8 + repo: https://github.com/istio/istio + commit: 1.27.8 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.8.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.8.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.8.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.8.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.8.tgz - name: v1.27.7 version: 1.27.7 repo: https://github.com/istio/istio @@ -163,25 +171,96 @@ versions: - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.0.tgz - name: v1.26-latest ref: v1.26.8 - eol: true - name: v1.26.8 - eol: true + version: 1.26.8 + repo: https://github.com/istio/istio + commit: 1.26.8 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.8.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.8.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.8.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.8.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.8.tgz - name: v1.26.7 - eol: true + version: 1.26.7 + repo: https://github.com/istio/istio + commit: 1.26.7 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.7.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.7.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.7.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.7.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.7.tgz - name: v1.26.6 - eol: true + version: 1.26.6 + repo: https://github.com/istio/istio + commit: 1.26.6 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.6.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.6.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.6.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.6.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.6.tgz - name: v1.26.5 - eol: true + version: 1.26.5 + repo: https://github.com/istio/istio + commit: 1.26.5 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.5.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.5.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.5.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.5.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.5.tgz - name: v1.26.4 - eol: true + version: 1.26.4 + repo: https://github.com/istio/istio + commit: 1.26.4 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.4.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.4.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.4.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.4.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.4.tgz - name: v1.26.3 - eol: true + version: 1.26.3 + repo: https://github.com/istio/istio + commit: 1.26.3 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.3.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.3.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.3.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.3.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.3.tgz - name: v1.26.2 - eol: true + version: 1.26.2 + repo: https://github.com/istio/istio + commit: 1.26.2 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.2.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.2.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.2.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.2.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.2.tgz - name: v1.26.1 - eol: true + version: 1.26.1 + repo: https://github.com/istio/istio + commit: 1.26.1 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.1.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.1.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.1.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.1.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.1.tgz - name: v1.26.0 - eol: true + version: 1.26.0 + repo: https://github.com/istio/istio + commit: 1.26.0 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.0.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.0.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.0.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.0.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.0.tgz - name: v1.25-latest ref: v1.25.5 eol: true @@ -238,16 +317,3 @@ versions: eol: true - name: v1.21.6 eol: true - - name: master - ref: v1.30-alpha.a22c3091 - - name: v1.30-alpha.a22c3091 - version: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 - repo: https://github.com/istio/istio - branch: master - commit: a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 - charts: - - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0/helm/base-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz - - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0/helm/cni-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz - - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0/helm/gateway-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz - - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0/helm/istiod-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz - - https://storage.googleapis.com/istio-build/dev/1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0/helm/ztunnel-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go index 05848f8510..7abe0ec852 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go @@ -88,7 +88,6 @@ func (r *ZTunnelReconciler) ComputeValues(version string, userValues *v1.ZTunnel return nil, fmt.Errorf("failed to apply profile: %w", err) } - // apply fips values mergedHelmValues, err = istiovalues.ApplyZTunnelFipsValues(mergedHelmValues) if err != nil { return nil, fmt.Errorf("failed to apply FIPS values: %w", err) diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/base-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/base-1.26.2.tgz.etag new file mode 100644 index 0000000000..7e3caa2c8c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/base-1.26.2.tgz.etag @@ -0,0 +1 @@ +5731496f7ef557b2845a356becbf57d41c7bbd7bf6988c18782b852107031411 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/Chart.yaml new file mode 100644 index 0000000000..acc961e937 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/reader-serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/reader-serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/Chart.yaml new file mode 100644 index 0000000000..72c52fc49e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/network-attachment-definition.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/network-attachment-definition.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/networkpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/networkpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/networkpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/values.yaml new file mode 100644 index 0000000000..258635040d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.2 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..a9c5446a0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/hpa.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/hpa.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/hpa.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/poddisruptionbudget.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.schema.json new file mode 100644 index 0000000000..3fdaa2730f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.schema.json @@ -0,0 +1,330 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + }, + "_internal_defaults_do_not_set": { + "type": "object" + } + }, + "additionalProperties": false + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.yaml new file mode 100644 index 0000000000..4e65676ba1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.yaml @@ -0,0 +1,170 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..68663298a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..07885fe316 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..f28930bc59 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-simple.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-simple.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..0aa99a967f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/injection-template.yaml @@ -0,0 +1,532 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..691e03cf96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/gateway-class-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/gateway-class-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/gateway-class-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/istiod-injector-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..1eacf16e69 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,29 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/values.yaml new file mode 100644 index 0000000000..c9bba2c06c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/values.yaml @@ -0,0 +1,557 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.2 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..18f8737994 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..c9bba2c06c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/values.yaml @@ -0,0 +1,557 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.2 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..c29b478ebb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/rbac.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/rbac.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..083ef99a4d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.2 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/cni-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/cni-1.26.2.tgz.etag new file mode 100644 index 0000000000..fe61700d5a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/cni-1.26.2.tgz.etag @@ -0,0 +1 @@ +4e833867b853de59dbc0b18c7499219b87e1552f97c5b3c691219b7686103f46 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/commit new file mode 100644 index 0000000000..c7c3f3333e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/commit @@ -0,0 +1 @@ +1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/gateway-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/gateway-1.26.2.tgz.etag new file mode 100644 index 0000000000..e64046cc02 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/gateway-1.26.2.tgz.etag @@ -0,0 +1 @@ +5bfe27456ff3cc185112be32b7a99a6ea9b98e91843e22face47e170cc954bc1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/istiod-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/istiod-1.26.2.tgz.etag new file mode 100644 index 0000000000..f83aaeb1c7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/istiod-1.26.2.tgz.etag @@ -0,0 +1 @@ +ddac28c3771fcd097e99b8a03730cc206ab99f715078ead99d5c5cc528d6e290 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/default.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/default.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/default.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/empty.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/empty.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/empty.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/profiles/stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/ztunnel-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/ztunnel-1.26.2.tgz.etag new file mode 100644 index 0000000000..341d4a2cc2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/ztunnel-1.26.2.tgz.etag @@ -0,0 +1 @@ +b7ddc493f337a56e54450e11c8904c27acec2f551d3fa821daad195f8cb38342 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/base-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/base-1.26.3.tgz.etag new file mode 100644 index 0000000000..5facdc47f9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/base-1.26.3.tgz.etag @@ -0,0 +1 @@ +a5c745b2352b4e645c2b498e84f9aa1a76e0f12cdfa15907a509a41160408544 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/Chart.yaml new file mode 100644 index 0000000000..40c0089217 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/reader-serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/reader-serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/Chart.yaml new file mode 100644 index 0000000000..8e4c5f64c7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/network-attachment-definition.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/network-attachment-definition.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/networkpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/networkpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/networkpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/values.yaml new file mode 100644 index 0000000000..e7a4d48627 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.3 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..688bcd659d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/hpa.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/hpa.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/hpa.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/poddisruptionbudget.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.schema.json new file mode 100644 index 0000000000..3fdaa2730f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.schema.json @@ -0,0 +1,330 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + }, + "_internal_defaults_do_not_set": { + "type": "object" + } + }, + "additionalProperties": false + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.yaml new file mode 100644 index 0000000000..5d4fd3b754 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.yaml @@ -0,0 +1,173 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..2e6749b0d8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..224fe75f13 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/grpc-agent.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-agent.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-simple.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-simple.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..f881b9a0ef --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/injection-template.yaml @@ -0,0 +1,532 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fa8532a9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/gateway-class-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/gateway-class-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/gateway-class-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/istiod-injector-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..5b8f812faa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/values.yaml new file mode 100644 index 0000000000..bb369026ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..93f38eebee --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..bb369026ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..488c3f4aa6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/rbac.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/rbac.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..18ab47fd44 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.3 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/cni-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/cni-1.26.3.tgz.etag new file mode 100644 index 0000000000..59d97a846a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/cni-1.26.3.tgz.etag @@ -0,0 +1 @@ +31b5c9c2ddc9d08b454146bee2b8782b000e4ccef24bfd224dc676050a91d974 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/commit new file mode 100644 index 0000000000..f8f7381409 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/commit @@ -0,0 +1 @@ +1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/gateway-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/gateway-1.26.3.tgz.etag new file mode 100644 index 0000000000..e0203739a1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/gateway-1.26.3.tgz.etag @@ -0,0 +1 @@ +bb1164a9e0c196c577e75164a5c7d552151639af49fb67ec7340a12652fbe78d diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/istiod-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/istiod-1.26.3.tgz.etag new file mode 100644 index 0000000000..ff16643d19 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/istiod-1.26.3.tgz.etag @@ -0,0 +1 @@ +ec6577560ba5bf7ae1913296be11d912917788e11de0a5ad96a29777113830e9 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/default.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/default.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/default.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/empty.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/empty.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/empty.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/profiles/stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/ztunnel-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/ztunnel-1.26.3.tgz.etag new file mode 100644 index 0000000000..39cab5f1d2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/ztunnel-1.26.3.tgz.etag @@ -0,0 +1 @@ +49fa0b626799f0011c6210ce63153b5e96b7de01a18109778c0965103582c6c5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/base-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/base-1.26.4.tgz.etag new file mode 100644 index 0000000000..bd66b58f5c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/base-1.26.4.tgz.etag @@ -0,0 +1 @@ +1339635defaa4b20e76c1491e1bf6d9ab0426613c7aafb177077e735d89f9304 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/Chart.yaml new file mode 100644 index 0000000000..a816e88a05 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/reader-serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/reader-serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/Chart.yaml new file mode 100644 index 0000000000..97d726e84d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/network-attachment-definition.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/network-attachment-definition.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/values.yaml new file mode 100644 index 0000000000..c7f3c4a06f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.4 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..847bd28fd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/hpa.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/hpa.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/hpa.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/poddisruptionbudget.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.schema.json new file mode 100644 index 0000000000..d81fcffaa5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.schema.json @@ -0,0 +1,368 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "valueFrom": { + "type": "object" + } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "additionalContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.yaml new file mode 100644 index 0000000000..5d4fd3b754 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.yaml @@ -0,0 +1,173 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..93d19507e4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..224fe75f13 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/grpc-agent.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-agent.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-simple.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-simple.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..f881b9a0ef --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/injection-template.yaml @@ -0,0 +1,532 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fa8532a9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/gateway-class-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/gateway-class-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/gateway-class-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/istiod-injector-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..5b8f812faa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/values.yaml new file mode 100644 index 0000000000..7e2d3b7e37 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.4 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..1b770dc9fb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..7e2d3b7e37 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.4 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..b8f225ccff --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/rbac.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/rbac.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..5709d37452 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.4 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/cni-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/cni-1.26.4.tgz.etag new file mode 100644 index 0000000000..07bfbcc430 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/cni-1.26.4.tgz.etag @@ -0,0 +1 @@ +3569346826bcf9faf738eb5cfd1faa861a0af9bc54cc43f8740184f30d541e67 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/commit new file mode 100644 index 0000000000..ea0928cedf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/commit @@ -0,0 +1 @@ +1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/gateway-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/gateway-1.26.4.tgz.etag new file mode 100644 index 0000000000..8e3dc3d980 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/gateway-1.26.4.tgz.etag @@ -0,0 +1 @@ +54f8f96edb1e67e8c60ff43cb29631da484b57a74caab86d0851b349c61ab6bf diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/istiod-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/istiod-1.26.4.tgz.etag new file mode 100644 index 0000000000..749caffe88 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/istiod-1.26.4.tgz.etag @@ -0,0 +1 @@ +45fd920c61de59055368f9ecf6b12002c81d3924e28f3297e887f2e5048bddb3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/default.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/default.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/default.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/empty.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/empty.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/empty.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/profiles/stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/ztunnel-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/ztunnel-1.26.4.tgz.etag new file mode 100644 index 0000000000..a2c1b60fde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/ztunnel-1.26.4.tgz.etag @@ -0,0 +1 @@ +91c6de1398ceb60a84a20f8e430c489980ce07760e777ab33b90968aa82d933b diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/base-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/base-1.26.6.tgz.etag new file mode 100644 index 0000000000..2b76ee1cf3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/base-1.26.6.tgz.etag @@ -0,0 +1 @@ +3546ec2b47b04cdbef9940a2c26f6718dcd17a9901f3601147b22e1e88bd64a5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/Chart.yaml new file mode 100644 index 0000000000..ea428a19ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/reader-serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/reader-serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/Chart.yaml new file mode 100644 index 0000000000..3c84bd2d29 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/network-attachment-definition.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/network-attachment-definition.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/values.yaml new file mode 100644 index 0000000000..58b2d721fa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.6 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..9ca41c9c66 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/hpa.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/hpa.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/hpa.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/poddisruptionbudget.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.schema.json new file mode 100644 index 0000000000..d81fcffaa5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.schema.json @@ -0,0 +1,368 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "valueFrom": { + "type": "object" + } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "additionalContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.yaml new file mode 100644 index 0000000000..5d4fd3b754 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.yaml @@ -0,0 +1,173 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..336c6e2e04 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..224fe75f13 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/grpc-agent.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-agent.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-simple.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-simple.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..e851a8371c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/injection-template.yaml @@ -0,0 +1,531 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fa8532a9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/gateway-class-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/gateway-class-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/gateway-class-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/istiod-injector-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..5b8f812faa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/values.yaml new file mode 100644 index 0000000000..b0146dc644 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.6 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..518159271e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..b0146dc644 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.6 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..8fbec7309b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/rbac.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/rbac.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..24a28fd3a2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.6 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/cni-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/cni-1.26.6.tgz.etag new file mode 100644 index 0000000000..27f35c7d31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/cni-1.26.6.tgz.etag @@ -0,0 +1 @@ +ce63413a70957a27741720ccf62d52adc0244ca4541ae4183fb3ed2027011a37 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/commit new file mode 100644 index 0000000000..f250c8f604 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/commit @@ -0,0 +1 @@ +1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/gateway-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/gateway-1.26.6.tgz.etag new file mode 100644 index 0000000000..a1f30382e2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/gateway-1.26.6.tgz.etag @@ -0,0 +1 @@ +8116afb6dd7d3e92a382c07e562f6298c7353ee8e0a477802a4e0c3c8d4e3ac3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/istiod-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/istiod-1.26.6.tgz.etag new file mode 100644 index 0000000000..b5a6370e26 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/istiod-1.26.6.tgz.etag @@ -0,0 +1 @@ +5b4add82c3b36c6140b7f1f6e53193ec02d117fa6334c475ec6de5ddf82b2122 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/default.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/default.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/default.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/empty.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/empty.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/empty.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/profiles/stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/ztunnel-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/ztunnel-1.26.6.tgz.etag new file mode 100644 index 0000000000..2c77ac2106 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/ztunnel-1.26.6.tgz.etag @@ -0,0 +1 @@ +d074fcda7eb6d9edec0bf2ba2293cbd7cd385d23769ce63ca63a47e3d8594954 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/base-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/base-1.26.8.tgz.etag new file mode 100644 index 0000000000..ff737b60b4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/base-1.26.8.tgz.etag @@ -0,0 +1 @@ +baa40c2ad185ed9b25d18b1b7bf9b12db565b6866ad3df914fbef6691b60e09e diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/Chart.yaml new file mode 100644 index 0000000000..d631eda339 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/reader-serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/reader-serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/Chart.yaml new file mode 100644 index 0000000000..17c864fcb3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/network-attachment-definition.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/network-attachment-definition.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/values.yaml new file mode 100644 index 0000000000..b86115fc8c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.8 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..17896d25b9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/hpa.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/hpa.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/hpa.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/poddisruptionbudget.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..3e28418f7b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/service.yaml @@ -0,0 +1,69 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.schema.json new file mode 100644 index 0000000000..d81fcffaa5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.schema.json @@ -0,0 +1,368 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "valueFrom": { + "type": "object" + } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "additionalContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.yaml new file mode 100644 index 0000000000..5d4fd3b754 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.yaml @@ -0,0 +1,173 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..a506b0eac9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..224fe75f13 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/grpc-agent.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-agent.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/grpc-simple.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-simple.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..e851a8371c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/injection-template.yaml @@ -0,0 +1,531 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fa8532a9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/configmap-values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/gateway-class-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/gateway-class-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/gateway-class-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/istiod-injector-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..5b8f812faa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/reader-clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/values.yaml new file mode 100644 index 0000000000..91b2c13102 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.8 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..80dfc7df32 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..91b2c13102 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.8 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..8444a1f3ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/rbac.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/rbac.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..b7d48221b5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.8 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/cni-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/cni-1.26.8.tgz.etag new file mode 100644 index 0000000000..bb9e38f7e6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/cni-1.26.8.tgz.etag @@ -0,0 +1 @@ +8d0a2679d64e69377835630fc33625eacc303312abd720943fff890e8e4a7af4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/commit new file mode 100644 index 0000000000..25691b4f1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/commit @@ -0,0 +1 @@ +1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/gateway-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/gateway-1.26.8.tgz.etag new file mode 100644 index 0000000000..434951920c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/gateway-1.26.8.tgz.etag @@ -0,0 +1 @@ +b74d9ab60d50d8b65c881b68bad16107773bfaec7ea554c35decd3808f0ebf59 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/istiod-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/istiod-1.26.8.tgz.etag new file mode 100644 index 0000000000..4f24c8b517 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/istiod-1.26.8.tgz.etag @@ -0,0 +1 @@ +fb8c24fe87200d4eac26e3f957044f6cc0d9c3a2279db6b6b1b293853d9d968a diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/default.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/default.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/default.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/empty.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/empty.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/empty.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/openshift-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/profiles/stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/ztunnel-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/ztunnel-1.26.8.tgz.etag new file mode 100644 index 0000000000..ffd17d6f23 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/ztunnel-1.26.8.tgz.etag @@ -0,0 +1 @@ +5461f28e418f9506bd4392a8179cd3201493f4b9d443efa73eebf8b84d3fcf0d diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/base-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/base-1.27.0.tgz.etag deleted file mode 100644 index 0b7df0bf05..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/base-1.27.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -b26ddf910c7cd2943690d3c34e92aa12 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/Chart.yaml deleted file mode 100644 index 283476f0c9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.0 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.27.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/Chart.yaml deleted file mode 100644 index 757c4fa7d1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.0 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.27.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/values.yaml deleted file mode 100644 index 7dfffb0605..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/values.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.27.0 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/Chart.yaml deleted file mode 100644 index 3df0e88dc8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.0 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.27.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.schema.json deleted file mode 100644 index 62ef87451c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.schema.json +++ /dev/null @@ -1,341 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "properties": { - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ - "null", - "integer" - ] - }, - "readinessProbe": { - "type": [ - "null", - "object" - ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": [ - "string", - "null" - ] - }, - "memory": { - "type": [ - "string", - "null" - ] - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": [ - "string", - "null" - ] - }, - "memory": { - "type": [ - "string", - "null" - ] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - }, - "_internal_defaults_do_not_set": { - "type": "object" - } - }, - "additionalProperties": false - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.yaml deleted file mode 100644 index c0147ce210..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/Chart.yaml deleted file mode 100644 index 1b89d346e7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.0 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.27.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/injection-template.yaml deleted file mode 100644 index 9705cfe5df..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,542 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index d9c86f43fa..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,213 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index d21cd919d3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/values.yaml deleted file mode 100644 index ecd1ba2dc8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.0 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/Chart.yaml deleted file mode 100644 index aab11814a8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.0 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/values.yaml deleted file mode 100644 index ecd1ba2dc8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.0 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/Chart.yaml deleted file mode 100644 index 86cb446c97..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.0 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.27.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 6b8ae5b6ad..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,210 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.global.network }} - - name: NETWORK - value: {{ .Values.global.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/values.yaml deleted file mode 100644 index 7550a4d594..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/values.yaml +++ /dev/null @@ -1,129 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.27.0 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # We keep the global namespace around for backwards-compatibility - global: - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/cni-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/cni-1.27.0.tgz.etag deleted file mode 100644 index 124ddc9782..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/cni-1.27.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -fc3f3e6cd38df93ff10105c0729e9d65 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/commit deleted file mode 100644 index 5db08bf2dc..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/commit +++ /dev/null @@ -1 +0,0 @@ -1.27.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/gateway-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/gateway-1.27.0.tgz.etag deleted file mode 100644 index 989623b984..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/gateway-1.27.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -8540c46a559c45954a2a794d5f664925 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/istiod-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/istiod-1.27.0.tgz.etag deleted file mode 100644 index 27962f6160..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/istiod-1.27.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -3b9c0a33854bb060d8d4f87c81690909 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/ztunnel-1.27.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/ztunnel-1.27.0.tgz.etag deleted file mode 100644 index b46e72dc4f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/ztunnel-1.27.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -64fede9b999cb988adeb8e92624d3de3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/base-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/base-1.27.1.tgz.etag deleted file mode 100644 index 8c62e0d68a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/base-1.27.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -7f2f5fd5304de6f4c31f33b703061549 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/Chart.yaml deleted file mode 100644 index 90ccae188f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.1 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.27.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/Chart.yaml deleted file mode 100644 index 6374f2dc27..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.1 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.27.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 6f6ef329a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 896de3d038..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,248 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/values.yaml deleted file mode 100644 index ca36bdae50..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/values.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.27.1 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/Chart.yaml deleted file mode 100644 index f7522efaa4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.1 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.27.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index b0155cdf05..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.schema.json deleted file mode 100644 index bcbb30ccc8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.schema.json +++ /dev/null @@ -1,353 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.yaml deleted file mode 100644 index c0147ce210..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/Chart.yaml deleted file mode 100644 index 6c2be4955f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.1 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.27.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/injection-template.yaml deleted file mode 100644 index 9705cfe5df..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,542 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 616fb42c71..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,401 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 3e6a2f5dc1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,396 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9b952ba857..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index d9c86f43fa..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,213 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 1b8fa4d079..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 9d931c4065..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a8446a6fc9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,111 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 1b769c6ec7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,312 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index ca017194e6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index d21cd919d3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index dbaa805035..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-endpoints.yaml deleted file mode 100644 index f13b8ce9a9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-endpoints.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index 0a48b9918b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/role.yaml deleted file mode 100644 index bbcfbe4356..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 0c66b38a7d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/service.yaml deleted file mode 100644 index 25bda4dfd2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index 8b4a0c0faf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 8562a52d59..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index b49bf7fafd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/values.yaml deleted file mode 100644 index b1a7151523..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.1 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/Chart.yaml deleted file mode 100644 index aead968334..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.1 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/values.yaml deleted file mode 100644 index b1a7151523..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.1 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/Chart.yaml deleted file mode 100644 index 0f71ab7057..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.1 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.27.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 6b8ae5b6ad..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,210 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.global.network }} - - name: NETWORK - value: {{ .Values.global.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/values.yaml deleted file mode 100644 index fae7cad337..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/values.yaml +++ /dev/null @@ -1,129 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.27.1 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # We keep the global namespace around for backwards-compatibility - global: - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/cni-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/cni-1.27.1.tgz.etag deleted file mode 100644 index 3400ad12f8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/cni-1.27.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -b2bc44fca2bd70c198e3e1cb207fbf5f diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/commit deleted file mode 100644 index 08002f86cc..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/commit +++ /dev/null @@ -1 +0,0 @@ -1.27.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/gateway-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/gateway-1.27.1.tgz.etag deleted file mode 100644 index ddcecb834f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/gateway-1.27.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -dbbc0d3a0ee648e909e0c6a6b87f601c diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/istiod-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/istiod-1.27.1.tgz.etag deleted file mode 100644 index 49dbc1857f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/istiod-1.27.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -4e50a475452cc800fadcdd81a2e08dd6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/ztunnel-1.27.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/ztunnel-1.27.1.tgz.etag deleted file mode 100644 index b022960ca7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/ztunnel-1.27.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -84ba6127a9bbaa9a5b24d161d3740e08 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/base-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/base-1.27.2.tgz.etag deleted file mode 100644 index 8ca19cc00d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/base-1.27.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -3f9ec4213cb967f1c458fa5621511032 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/Chart.yaml deleted file mode 100644 index fa036d7332..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.2 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.27.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/Chart.yaml deleted file mode 100644 index fd22b74314..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.2 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.27.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 6f6ef329a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 896de3d038..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,248 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/values.yaml deleted file mode 100644 index d563739cf6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/cni/values.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.27.2 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/Chart.yaml deleted file mode 100644 index e485d21c6b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.2 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.27.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index b0155cdf05..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.schema.json deleted file mode 100644 index bcbb30ccc8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.schema.json +++ /dev/null @@ -1,353 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.yaml deleted file mode 100644 index c0147ce210..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/gateway/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/Chart.yaml deleted file mode 100644 index af93a35361..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.2 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.27.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index bc15ee3c31..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/injection-template.yaml deleted file mode 100644 index df04baf847..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,541 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 616fb42c71..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,401 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 3e6a2f5dc1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,396 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9b952ba857..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index d9c86f43fa..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,213 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 1b8fa4d079..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 9d931c4065..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a8446a6fc9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,111 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 1b769c6ec7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,312 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index ca017194e6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index d21cd919d3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index dbaa805035..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-endpoints.yaml deleted file mode 100644 index f13b8ce9a9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-endpoints.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index 0a48b9918b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/role.yaml deleted file mode 100644 index bbcfbe4356..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 0c66b38a7d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/service.yaml deleted file mode 100644 index 25bda4dfd2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index 8b4a0c0faf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 8562a52d59..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index b49bf7fafd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/values.yaml deleted file mode 100644 index 89d86fdb80..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/istiod/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.2 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/Chart.yaml deleted file mode 100644 index cf8f6ce14f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.2 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/values.yaml deleted file mode 100644 index 89d86fdb80..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/revisiontags/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.2 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/Chart.yaml deleted file mode 100644 index 0ef197b82f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.2 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.27.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/values.yaml deleted file mode 100644 index 2b44dda274..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/values.yaml +++ /dev/null @@ -1,128 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.27.2 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/cni-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/cni-1.27.2.tgz.etag deleted file mode 100644 index 02228775e6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/cni-1.27.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -472746bd7177d6917f231a5477bb42c0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/commit deleted file mode 100644 index 457f038546..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/commit +++ /dev/null @@ -1 +0,0 @@ -1.27.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/gateway-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/gateway-1.27.2.tgz.etag deleted file mode 100644 index 400c21e39e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/gateway-1.27.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -f41b30a1ecd3f8eb5e98a3836bc278c0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/istiod-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/istiod-1.27.2.tgz.etag deleted file mode 100644 index ce1391c25f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/istiod-1.27.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -78abcde440e50316bdc1423cfc191c7b diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/ztunnel-1.27.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/ztunnel-1.27.2.tgz.etag deleted file mode 100644 index b6a19afbe9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/ztunnel-1.27.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -8c791fe726f190936c1d071b0d4f82f7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag index 1677b79984..166c945b12 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag @@ -1 +1 @@ -cce45283947bb5ef9df93c274ccf452e +d8ddfa21d5aa39a6066ef565f30bcd4d92c29c50cc14fcd29db41e69e45ef1fd diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml index 05415625c0..703e4bf6a8 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml @@ -157,6 +157,10 @@ _internal_defaults_do_not_set: logAsJson: false + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace # to use for pulling any images in pods that reference this ServiceAccount. # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml index b0155cdf05..91869a0ead 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml @@ -1,4 +1,6 @@ {{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: @@ -16,3 +18,4 @@ spec: {{- toYaml . | nindent 2 }} {{- end }} {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml index c0147ce210..454d2a4d2b 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml @@ -139,6 +139,9 @@ _internal_defaults_do_not_set: # By default, the `podDisruptionBudget` is disabled (set to `{}`), # which means that no PodDisruptionBudget resource will be created. # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # # To enable the PodDisruptionBudget, configure it by specifying the # `minAvailable` or `maxUnavailable`. For example, to set the # minimum number of available replicas to 1, you can update this value as follows: diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml index d9c86f43fa..40f39511ac 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml @@ -161,10 +161,10 @@ rules: - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.x-k8s.io"] + - apiGroups: ["inference.networking.k8s.io"] resources: ["inferencepools"] verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.x-k8s.io"] + - apiGroups: ["inference.networking.k8s.io"] resources: ["inferencepools/status"] verbs: ["update", "patch"] diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml index d21cd919d3..fcd6c7c2e4 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml @@ -1,6 +1,8 @@ # Not created if istiod is running remotely {{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} {{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: @@ -34,3 +36,4 @@ spec: --- {{- end }} {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml index 4f0d23eaf5..c5879ead5c 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml @@ -287,6 +287,10 @@ _internal_defaults_do_not_set: logging: level: "default:info" + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + omitSidecarInjectorConfigMap: false # Configure whether Operator manages webhook configurations. The current behavior diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml index 4f0d23eaf5..c5879ead5c 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml @@ -287,6 +287,10 @@ _internal_defaults_do_not_set: logging: level: "default:info" + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + omitSidecarInjectorConfigMap: false # Configure whether Operator manages webhook configurations. The current behavior diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/networkpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/networkpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/networkpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml index ad00f2b476..812abc7a8c 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml @@ -17,6 +17,11 @@ _internal_defaults_do_not_set: # corresponds to the networks in the map of mesh networks. network: "" + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. resourceName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag index 7a5f5e1199..759ea13723 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag @@ -1 +1 @@ -225fe2f64f96f2d06ae32ab8aee589e9 +4d8a7590020911500b8b8556c7281d25fd7216bedf19449c445c561bd7065677 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag index c7fcfbf51c..11459843c9 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag @@ -1 +1 @@ -283b9a884ddfc8d6181e4ba9b7b864d3 +3d0d21fd794e155be848d053637e6c919e26096fe18206846a187cbbdb773995 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag index b8e60f837d..0178d390f1 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag @@ -1 +1 @@ -bb59c9d779b441c3b807c7b0e0469672 +d596603bd0ec87f9ead32c7ac26389578ebd878150d97f73c2c6a697173c3856 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag index e4501f0133..7e5bde22b5 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag @@ -1 +1 @@ -1796665ace8eb824959a10e3dab18060 +f372f9abec7d6d6d12610b71701dd37e3cb4a16e58e892ec5ada6c2e52059359 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/base-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/base-1.27.4.tgz.etag deleted file mode 100644 index 8e4b97d887..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/base-1.27.4.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -85804e76b8331e8abc25bf6663dab8a4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/Chart.yaml deleted file mode 100644 index 2d63a6c8a9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.4 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.27.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/Chart.yaml deleted file mode 100644 index b2d482aa38..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.4 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.27.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 6f6ef329a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 896de3d038..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,248 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/values.yaml deleted file mode 100644 index 8a6b25bc51..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/cni/values.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.27.4 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/Chart.yaml deleted file mode 100644 index 2dfdbf31d1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.4 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.27.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index b0155cdf05..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.schema.json deleted file mode 100644 index bcbb30ccc8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.schema.json +++ /dev/null @@ -1,353 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.yaml deleted file mode 100644 index c0147ce210..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/gateway/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/Chart.yaml deleted file mode 100644 index f10e8233fc..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.4 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.27.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index bc15ee3c31..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/injection-template.yaml deleted file mode 100644 index df04baf847..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,541 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 616fb42c71..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,401 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 3e6a2f5dc1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,396 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9b952ba857..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index d9c86f43fa..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,213 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 1b8fa4d079..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 9d931c4065..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a8446a6fc9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,111 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 1b769c6ec7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,312 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index ca017194e6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index d21cd919d3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index dbaa805035..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-endpoints.yaml deleted file mode 100644 index f13b8ce9a9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-endpoints.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index 0a48b9918b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/role.yaml deleted file mode 100644 index bbcfbe4356..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 0c66b38a7d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/service.yaml deleted file mode 100644 index 25bda4dfd2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index 8b4a0c0faf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 8562a52d59..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index b49bf7fafd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/values.yaml deleted file mode 100644 index cda9829ce1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/istiod/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.4 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/Chart.yaml deleted file mode 100644 index 4ba00e976c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.4 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/values.yaml deleted file mode 100644 index cda9829ce1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/revisiontags/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.4 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/Chart.yaml deleted file mode 100644 index a2c5bb6855..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.4 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.27.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 7de85a2d18..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,210 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.network }} - - name: NETWORK - value: {{ .Values.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/values.yaml deleted file mode 100644 index 50d7b3c63c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/charts/ztunnel/values.yaml +++ /dev/null @@ -1,128 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.27.4 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/cni-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/cni-1.27.4.tgz.etag deleted file mode 100644 index 57772900cc..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/cni-1.27.4.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -51fae7c4c2f2a9b595620028740a209c diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/commit deleted file mode 100644 index d6201580ed..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/commit +++ /dev/null @@ -1 +0,0 @@ -1.27.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/gateway-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/gateway-1.27.4.tgz.etag deleted file mode 100644 index 104eaa5c38..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/gateway-1.27.4.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -a2843b9c7a9a91c00e461f4056d9b1d9 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/istiod-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/istiod-1.27.4.tgz.etag deleted file mode 100644 index 44a3f58f0e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/istiod-1.27.4.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -d7be874f1187a5e030b3e3e333e774c7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/ztunnel-1.27.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/ztunnel-1.27.4.tgz.etag deleted file mode 100644 index f3718f5193..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.4/ztunnel-1.27.4.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -3b6cd190b838a132d4d14a0047581453 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag index b4d325688a..5c0b7b25d0 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag @@ -1 +1 @@ -cb5b876deebf2702f8413bd19b8fa439 +c53922f1c9da614d87ef63613010eba7e34509719db3d1a4c81be59f00299e4e diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml index 903450f82b..b3beacd6ce 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml @@ -157,6 +157,10 @@ _internal_defaults_do_not_set: logAsJson: false + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace # to use for pulling any images in pods that reference this ServiceAccount. # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml index b0155cdf05..91869a0ead 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml @@ -1,4 +1,6 @@ {{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: @@ -16,3 +18,4 @@ spec: {{- toYaml . | nindent 2 }} {{- end }} {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml index c0147ce210..454d2a4d2b 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml @@ -139,6 +139,9 @@ _internal_defaults_do_not_set: # By default, the `podDisruptionBudget` is disabled (set to `{}`), # which means that no PodDisruptionBudget resource will be created. # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # # To enable the PodDisruptionBudget, configure it by specifying the # `minAvailable` or `maxUnavailable`. For example, to set the # minimum number of available replicas to 1, you can update this value as follows: diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml index d9c86f43fa..40f39511ac 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml @@ -161,10 +161,10 @@ rules: - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.x-k8s.io"] + - apiGroups: ["inference.networking.k8s.io"] resources: ["inferencepools"] verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.x-k8s.io"] + - apiGroups: ["inference.networking.k8s.io"] resources: ["inferencepools/status"] verbs: ["update", "patch"] diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml index d21cd919d3..fcd6c7c2e4 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml @@ -1,6 +1,8 @@ # Not created if istiod is running remotely {{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} {{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: @@ -34,3 +36,4 @@ spec: --- {{- end }} {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml index 827da9284c..6570ae1417 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml @@ -287,6 +287,10 @@ _internal_defaults_do_not_set: logging: level: "default:info" + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + omitSidecarInjectorConfigMap: false # Configure whether Operator manages webhook configurations. The current behavior diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml index 827da9284c..6570ae1417 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml @@ -287,6 +287,10 @@ _internal_defaults_do_not_set: logging: level: "default:info" + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + omitSidecarInjectorConfigMap: false # Configure whether Operator manages webhook configurations. The current behavior diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/networkpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/networkpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/networkpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml index ff4b7c7466..9fe9f0dc3a 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml @@ -17,6 +17,11 @@ _internal_defaults_do_not_set: # corresponds to the networks in the map of mesh networks. network: "" + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. resourceName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag index 85755b0c38..c7d66b65e8 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag @@ -1 +1 @@ -5b26a7e0cc5f3f7d5cbd2cf5265fdb82 +023c4b4ba66f9fe8cc19b6d4791ff6d004fac662d78ff5cf89d6ec9bf551fbf5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag index abab054607..46126a8c65 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag @@ -1 +1 @@ -ecb9534d3e8c29e86377d1f56df070c0 +d338fa67a4fbde0eebbb7e50e4681c81ac0550cfd9ae7ce37d9ecbe310e3f1de diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag index e8270b5266..600d7e101c 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag @@ -1 +1 @@ -52aa229cba3bb3d940cda9e7a6697acd +d11c9653fa7e9e204abff6dc52b2e965f86fb2caf8d2feaee01e848554c8c37c diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag index e881d16d82..8a828cf748 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag @@ -1 +1 @@ -ef36ec00906f364ae84a4ffb82e14495 +480cc9a3a64d132bceeba46150ecd2d55c0fb17fbdfc6858d6f12d1cc81e73d1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/base-1.27.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/base-1.27.6.tgz.etag deleted file mode 100644 index 1c0dab2d54..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/base-1.27.6.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -419e493293c56dc96204907406c5c88a diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/Chart.yaml deleted file mode 100644 index deab057d6c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.6 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.27.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/Chart.yaml deleted file mode 100644 index 82e0554728..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.6 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.27.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 6f6ef329a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 896de3d038..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,248 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/values.yaml deleted file mode 100644 index a194630836..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/cni/values.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.27.6 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/Chart.yaml deleted file mode 100644 index a2327378ed..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.6 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.27.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index b0155cdf05..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/values.yaml deleted file mode 100644 index c5ac32ad2b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/values.yaml +++ /dev/null @@ -1,194 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - # Additional labels to add to the service selector - selectorLabels: {} - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/Chart.yaml deleted file mode 100644 index add31efd3b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.6 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.27.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index bc15ee3c31..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 616fb42c71..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,401 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 3e6a2f5dc1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,396 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9b952ba857..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index d9c86f43fa..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,213 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 1b8fa4d079..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 9d931c4065..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a8446a6fc9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,111 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 1b769c6ec7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,312 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index ca017194e6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index d21cd919d3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index dbaa805035..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/remote-istiod-endpoints.yaml deleted file mode 100644 index f13b8ce9a9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/remote-istiod-endpoints.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index 0a48b9918b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/role.yaml deleted file mode 100644 index bbcfbe4356..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 0c66b38a7d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/service.yaml deleted file mode 100644 index 25bda4dfd2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index 8b4a0c0faf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 8562a52d59..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index b49bf7fafd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/values.yaml deleted file mode 100644 index ccfcaa5527..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.6 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/Chart.yaml deleted file mode 100644 index 2473cf0161..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.6 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/values.yaml deleted file mode 100644 index ccfcaa5527..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/revisiontags/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.6 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/Chart.yaml deleted file mode 100644 index 32717b58f0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.6 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.27.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 7de85a2d18..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,210 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.network }} - - name: NETWORK - value: {{ .Values.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/values.yaml deleted file mode 100644 index 15b04e40a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/ztunnel/values.yaml +++ /dev/null @@ -1,128 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.27.6 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/cni-1.27.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/cni-1.27.6.tgz.etag deleted file mode 100644 index c2c482ca8a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/cni-1.27.6.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -9c5b26001eb8487f6ff49b60134431bf diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/commit deleted file mode 100644 index 2a5aed46be..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/commit +++ /dev/null @@ -1 +0,0 @@ -1.27.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/gateway-1.27.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/gateway-1.27.6.tgz.etag deleted file mode 100644 index 0e9859e54f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/gateway-1.27.6.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -75451d4a1c872424cb6aea0df39d12f4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/istiod-1.27.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/istiod-1.27.6.tgz.etag deleted file mode 100644 index e6124aa46a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/istiod-1.27.6.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -98c26831eafe25f258fc67e4daa2f22b diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/ztunnel-1.27.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/ztunnel-1.27.6.tgz.etag deleted file mode 100644 index 727e1cfc99..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/ztunnel-1.27.6.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -58ba734fd3e7a2c2c080053b223bbb3e diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/base-1.27.7.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/base-1.27.7.tgz.etag deleted file mode 100644 index 12ec874cc9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/base-1.27.7.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -fbcab022dd3ca04fc5d1d345c7599180 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/Chart.yaml deleted file mode 100644 index 7efa8302c1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.7 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.27.7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/Chart.yaml deleted file mode 100644 index 6bbb973431..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.7 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.27.7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 6f6ef329a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 896de3d038..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,248 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/values.yaml deleted file mode 100644 index e5cb420e53..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/values.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.27.7 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/Chart.yaml deleted file mode 100644 index 6ea5276a10..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.7 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.27.7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index b0155cdf05..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/service.yaml deleted file mode 100644 index e8e2cdb588..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if hasKey .Values.service "loadBalancerClass" }} - loadBalancerClass: {{ .Values.service.loadBalancerClass }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} - {{- with .Values.service.selectorLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/values.schema.json deleted file mode 100644 index c28db45139..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/values.schema.json +++ /dev/null @@ -1,359 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "selectorLabels": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/values.yaml deleted file mode 100644 index c5ac32ad2b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/values.yaml +++ /dev/null @@ -1,194 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - # Additional labels to add to the service selector - selectorLabels: {} - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/Chart.yaml deleted file mode 100644 index 5c3fa1a78a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.7 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.27.7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index bc15ee3c31..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/injection-template.yaml deleted file mode 100644 index 468e9ac4ac..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,541 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 616fb42c71..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,401 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 3e6a2f5dc1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,396 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9b952ba857..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index d9c86f43fa..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,213 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.x-k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 1b8fa4d079..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 9d931c4065..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a8446a6fc9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,111 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 1b769c6ec7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,312 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index ca017194e6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,164 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index d21cd919d3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index dbaa805035..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/remote-istiod-endpoints.yaml deleted file mode 100644 index f13b8ce9a9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/remote-istiod-endpoints.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index 0a48b9918b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/role.yaml deleted file mode 100644 index bbcfbe4356..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 0c66b38a7d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/service.yaml deleted file mode 100644 index 25bda4dfd2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index 8b4a0c0faf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 8562a52d59..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index b49bf7fafd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/values.yaml deleted file mode 100644 index 1a912db005..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.7 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/Chart.yaml deleted file mode 100644 index 299c39630a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.7 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/templates/revision-tags.yaml deleted file mode 100644 index 06764a826e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/templates/revision-tags.yaml +++ /dev/null @@ -1,149 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/values.yaml deleted file mode 100644 index 1a912db005..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/values.yaml +++ /dev/null @@ -1,569 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.27.7 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/Chart.yaml deleted file mode 100644 index ae7de2e187..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.27.7 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.27.7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.24.yaml deleted file mode 100644 index 4f3dbef7ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.24.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - PILOT_ENABLE_IP_AUTOALLOCATE: "false" - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - dnsCapture: false - reconcileIptablesOnStartup: false - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index b2f45948c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index af10697326..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 7de85a2d18..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,210 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.network }} - - name: NETWORK - value: {{ .Values.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/values.yaml deleted file mode 100644 index 80b2269949..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/values.yaml +++ /dev/null @@ -1,128 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.27.7 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/cni-1.27.7.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/cni-1.27.7.tgz.etag deleted file mode 100644 index bfa2c3ff5d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/cni-1.27.7.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -a6e6e33773471e61faf7c5f5c083aa1b diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/commit deleted file mode 100644 index 127aeda7e5..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/commit +++ /dev/null @@ -1 +0,0 @@ -1.27.7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/gateway-1.27.7.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/gateway-1.27.7.tgz.etag deleted file mode 100644 index 5f86604eab..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/gateway-1.27.7.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -ab9ab0f23481b2448aef566140633e7d diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/istiod-1.27.7.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/istiod-1.27.7.tgz.etag deleted file mode 100644 index 26f9f656fb..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/istiod-1.27.7.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -6be7d3b256dd1f380a4171a8ac5acdd6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/ztunnel-1.27.7.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/ztunnel-1.27.7.tgz.etag deleted file mode 100644 index c3085fa294..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/ztunnel-1.27.7.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -9c9b08aa66cfcf56745711a3c134f760 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/base-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/base-1.27.8.tgz.etag new file mode 100644 index 0000000000..d5edee9229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/base-1.27.8.tgz.etag @@ -0,0 +1 @@ +7a8b8f8bb2e96e57d710fd96d639773cf69abab2cc07971b0e9fb0bdd2045b91 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/Chart.yaml new file mode 100644 index 0000000000..3bcb77102d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.24.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.24.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.24.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/base/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/reader-serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/reader-serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/base/values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/Chart.yaml new file mode 100644 index 0000000000..7e2183f232 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.24.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.24.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.24.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/configmap-cni.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/configmap-cni.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/configmap-cni.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/daemonset.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/cni/templates/daemonset.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/daemonset.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/network-attachment-definition.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/network-attachment-definition.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/cni/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/values.yaml new file mode 100644 index 0000000000..e0c419abfc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/values.yaml @@ -0,0 +1,182 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist + istioOwnedCNIConfigFileName: "" + istioOwnedCNIConfig: false + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # If ambient is enabled, this selector will be used to identify the ambient-enabled pods + enablementSelectors: + - podSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + - podSelector: + matchExpressions: + - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } + namespaceSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.27.8 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..bec88e27b4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.24.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.24.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.24.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/deployment.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/gateway/templates/deployment.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/deployment.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/hpa.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/hpa.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/hpa.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/poddisruptionbudget.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/templates/service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/gateway/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.schema.json similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/gateway/values.schema.json rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.schema.json diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.yaml new file mode 100644 index 0000000000..8158afb8d0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.yaml @@ -0,0 +1,197 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + # Additional labels to add to the service selector + selectorLabels: {} + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Use envVarFrom to define full environment variable entries with complex sources, + # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. + # + # Example: + # envVarFrom: + # - name: EXAMPLE_SECRET + # valueFrom: + # secretKeyRef: + # name: example-name + # key: example-key + envVarFrom: [] + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Inject initContainers into the Gateway Pods. + initContainers: [] + + # Inject additional containers into the Gateway Pods. + additionalContainers: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Configure the lifecycle hooks for the gateway. See + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. + lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..d69b178b83 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/gateway-injection-template.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/gateway-injection-template.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/gateway-injection-template.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/grpc-agent.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-agent.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/grpc-simple.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-simple.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/injection-template.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.6/charts/istiod/files/injection-template.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/injection-template.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/kube-gateway.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/kube-gateway.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/kube-gateway.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.24.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.24.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.24.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/waypoint.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/files/waypoint.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/waypoint.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/autoscale.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/autoscale.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/autoscale.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..40f39511ac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,213 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + - xlistenersets/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-jwks.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap-jwks.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-jwks.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/configmap-values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/deployment.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/deployment.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/deployment.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/gateway-class-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/gateway-class-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/gateway-class-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/istiod-injector-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/mutatingwebhook.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/mutatingwebhook.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/mutatingwebhook.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..fcd6c7c2e4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/reader-clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/reader-clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-endpoints.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-endpoints.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-endpoints.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/remote-istiod-service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/revision-tags.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/revision-tags.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/revision-tags.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/rolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/rolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/rolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/istiod/templates/validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/values.yaml new file mode 100644 index 0000000000..48bb7fb12c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/values.yaml @@ -0,0 +1,573 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.27.8 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..904f69c416 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.24.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/revision-tags.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/revisiontags/templates/revision-tags.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/revision-tags.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/revisiontags/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..48bb7fb12c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/values.yaml @@ -0,0 +1,573 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.27.8 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..df21fd7b2a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.24.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/daemonset.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.2/charts/ztunnel/templates/daemonset.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/daemonset.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b397c64c82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/networkpolicy.yaml @@ -0,0 +1,62 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: ztunnel + app.kubernetes.io/name: ztunnel + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Ztunnel" + release: {{ .Release.Name }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: ztunnel + policyTypes: + - Ingress + - Egress + ingress: + # Readiness probe + - from: [] + ports: + - protocol: TCP + port: 15021 + # Monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 # Metrics + # Admin interface + - from: [] + ports: + - protocol: TCP + port: 15000 # Admin interface + # HBONE traffic + - from: [] + ports: + - protocol: TCP + port: 15008 + # Outbound traffic endpoint + - from: [] + ports: + - protocol: TCP + port: 15001 + # Traffic endpoint for inbound plaintext + - from: [] + ports: + - protocol: TCP + port: 15006 + # DNS Captures + - from: [ ] + ports: + - protocol: TCP + port: 15053 + - protocol: UDP + port: 15053 + egress: + # Allow all egress + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/rbac.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/rbac.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/ztunnel/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..18ae675f31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/values.yaml @@ -0,0 +1,133 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.27.8 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Same as `global.network`, but will override it if set. + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Tolerations for the ztunnel pod + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/cni-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/cni-1.27.8.tgz.etag new file mode 100644 index 0000000000..9e01656202 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/cni-1.27.8.tgz.etag @@ -0,0 +1 @@ +9397a945c1645fe8d5fff331e9093afcaa99901d835978e52e43f6544efe7873 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/commit new file mode 100644 index 0000000000..31a078060e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/commit @@ -0,0 +1 @@ +1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/gateway-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/gateway-1.27.8.tgz.etag new file mode 100644 index 0000000000..091f5d45d1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/gateway-1.27.8.tgz.etag @@ -0,0 +1 @@ +e7bca3e1844071152ed9cd855ea600f72f727a0fabd9829636a43f85bf1355c6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/istiod-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/istiod-1.27.8.tgz.etag new file mode 100644 index 0000000000..5810de34d3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/istiod-1.27.8.tgz.etag @@ -0,0 +1 @@ +d1c14f7aea2ae17ff96e2fedcd3abc079539f469c13791e86801a0f41287e0dd diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/default.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/default.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/default.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/empty.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/empty.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/empty.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/openshift-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/profiles/stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/ztunnel-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/ztunnel-1.27.8.tgz.etag new file mode 100644 index 0000000000..63de9d2d74 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/ztunnel-1.27.8.tgz.etag @@ -0,0 +1 @@ +a9f3b90a9e58185025ab113f41c5de5601f555e8b56b1377b4547dfe20746087 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/base-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/base-1.28.0.tgz.etag deleted file mode 100644 index 95a40faebb..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/base-1.28.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -7bc3f40a477bc457daf1899a1adc295b diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/Chart.yaml deleted file mode 100644 index 3a585967f2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.0 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.28.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/Chart.yaml deleted file mode 100644 index ec567edeb6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.0 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.28.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 98bc60ac07..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/values.yaml deleted file mode 100644 index b48ac06e71..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Additional labels to apply on the daemonset level - daemonSetLabels: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Additional labels to apply on the pod level - podLabels: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.28.0 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/Chart.yaml deleted file mode 100644 index 0819c9b8bc..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.0 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.28.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/service.yaml deleted file mode 100644 index f555e6c632..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if hasKey .Values.service "loadBalancerClass" }} - loadBalancerClass: {{ .Values.service.loadBalancerClass }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} -{{- with .Values.service.internalTrafficPolicy }} - internalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} -{{- if not (eq .Values.service.clusterIP "") }} - clusterIP: {{ .Values.service.clusterIP }} -{{- end }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.schema.json deleted file mode 100644 index 739a67b775..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.schema.json +++ /dev/null @@ -1,353 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.yaml deleted file mode 100644 index 9975f92851..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/values.yaml +++ /dev/null @@ -1,202 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - # Set to a specific ClusterIP, or "" for automatic assignment - clusterIP: "" - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # The PodDisruptionBudget can be only enabled if autoscaling is enabled - # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} - - # When enabled, a default NetworkPolicy for gateways will be created - global: - networkPolicy: - enabled: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/Chart.yaml deleted file mode 100644 index f6afa92b6f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.0 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.28.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index bc15ee3c31..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 6e3102e4c8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,318 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/injection-template.yaml deleted file mode 100644 index ba656bd7f8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,549 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 4599945e9d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,401 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index 0ac37d1cdf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 -{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/values.yaml deleted file mode 100644 index 1a28f38538..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.28.0 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/Chart.yaml deleted file mode 100644 index b7b663e5b1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.0 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/values.yaml deleted file mode 100644 index 1a28f38538..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.28.0 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/Chart.yaml deleted file mode 100644 index 00f9bcda39..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.0 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.28.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/values.yaml deleted file mode 100644 index 21364a58c7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/values.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.28.0 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/cni-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/cni-1.28.0.tgz.etag deleted file mode 100644 index 9235e27af3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/cni-1.28.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -1741dd04379cd554e8e6c432bc239a92 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/commit deleted file mode 100644 index cfc730712d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/commit +++ /dev/null @@ -1 +0,0 @@ -1.28.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/gateway-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/gateway-1.28.0.tgz.etag deleted file mode 100644 index 573482ff7b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/gateway-1.28.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -2cf540e92003b760d6a99370aee68129 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/istiod-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/istiod-1.28.0.tgz.etag deleted file mode 100644 index 540dc3e240..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/istiod-1.28.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -b0f9abb423e3def023c9371eaef3a172 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/ztunnel-1.28.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/ztunnel-1.28.0.tgz.etag deleted file mode 100644 index c8d4ec7888..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/ztunnel-1.28.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -77b68b902c4286f9d8f8814c14aab329 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/base-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/base-1.28.1.tgz.etag deleted file mode 100644 index 10e19fb89f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/base-1.28.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -18d6ebae74dd3e397808b235f5c67eaa diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/Chart.yaml deleted file mode 100644 index 2fd598dea5..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.1 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.28.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/README.md deleted file mode 100644 index ae8f6d5b0e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/NOTES.txt deleted file mode 100644 index f12616f578..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml deleted file mode 100644 index 30049df989..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml deleted file mode 100644 index dcd16e964f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index bb7a74ff48..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This singleton service account aggregates reader permissions for the revisions in a given cluster -# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, -# as otherwise compromising the token for this SA would give you access to *every* installed revision. -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/values.yaml deleted file mode 100644 index 8353c57d6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/base/values.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - base: - # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. - # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. - # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. - excludedCRDs: [] - # Helm (as of V3) does not support upgrading CRDs, because it is not universally - # safe for them to support this. - # Istio as a project enforces certain backwards-compat guarantees that allow us - # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs - # as standard K8S resources in Helm, and disable Helm's CRD management. See also: - # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts - enableCRDTemplates: true - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # Validation webhook caBundle value. Useful when running pilot with a well known cert - validationCABundle: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" - experimental: - stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/Chart.yaml deleted file mode 100644 index 71b8511b75..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.1 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.28.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/README.md deleted file mode 100644 index f7e5cbd379..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istio-cni -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Ambient - -To enable ambient, you can use the ambient profile: `--set profile=ambient`. - -#### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -### GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/NOTES.txt deleted file mode 100644 index fb35525b99..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/_helpers.tpl deleted file mode 100644 index 73cc17b2f6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/_helpers.tpl +++ /dev/null @@ -1,8 +0,0 @@ -{{- define "name" -}} - istio-cni -{{- end }} - - -{{- define "istio-tag" -}} - {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrole.yaml deleted file mode 100644 index 51af4ce7ff..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrole.yaml +++ /dev/null @@ -1,84 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] -{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -{{- end }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-repair-role - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["watch", "get", "list"] -{{- if .Values.repair.repairPods }} -{{- /* No privileges needed*/}} -{{- else if .Values.repair.deletePods }} - - apiGroups: [""] - resources: ["pods"] - verbs: ["delete"] -{{- else if .Values.repair.labelPods }} - - apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-ambient - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - resourceNames: ["{{ template "name" . }}-node"] - verbs: ["get"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrolebinding.yaml deleted file mode 100644 index 60e3c28be8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-repair-rolebinding - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-repair-role -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-ambient - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-ambient -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 98bc60ac07..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 6d1dda2902..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,252 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} - {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/network-attachment-definition.yaml deleted file mode 100644 index 37ef7c3e6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/network-attachment-definition.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if eq .Values.provider "multus" }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: {{ template "name" . }} - namespace: default - labels: - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/resourcequota.yaml deleted file mode 100644 index 2e0be5ab40..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/resourcequota.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ template "name" . }}-resource-quota - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/serviceaccount.yaml deleted file mode 100644 index 17c8e64a9d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzy_descope_legacy.yaml deleted file mode 100644 index a9584ac29f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/values.yaml deleted file mode 100644 index c38a2654d6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/cni/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Additional labels to apply on the daemonset level - daemonSetLabels: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Additional labels to apply on the pod level - podLabels: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.28.1 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/Chart.yaml deleted file mode 100644 index 7032b53511..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.1 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.28.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/README.md deleted file mode 100644 index 6344859a22..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/NOTES.txt deleted file mode 100644 index fd0142911a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index e5a0a9b3c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,40 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{- define "gateway.labels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if and (ne $key "app") (ne $key "istio") }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} -istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} -{{- end }} - -{{/* -Keep sidecar injection labels together -https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy -*/}} -{{- define "gateway.sidecarInjectionLabels" -}} -sidecar.istio.io/inject: "true" -{{- with .Values.revision }} -istio.io/rev: {{ . | quote }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/hpa.yaml deleted file mode 100644 index 64ecb6a4cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/networkpolicy.yaml deleted file mode 100644 index ea2fab97b3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "gateway.name" . }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Gateway" - istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} - release: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "gateway.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - ingress: - # Status/health check port - - from: [] - ports: - - protocol: TCP - port: 15021 - # Metrics endpoints for monitoring/prometheus - - from: [] - ports: - - protocol: TCP - port: 15020 - - protocol: TCP - port: 15090 - # Main gateway traffic ports -{{- if .Values.service.ports }} -{{- range .Values.service.ports }} - - from: [] - ports: - - protocol: {{ .protocol | default "TCP" }} - port: {{ .targetPort | default .port }} -{{- end }} -{{- end }} - egress: - # Allow all egress (gateways need to reach external services, istiod, and other cluster services) - - {} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/role.yaml deleted file mode 100644 index 3d16079632..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/service.yaml deleted file mode 100644 index f555e6c632..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if hasKey .Values.service "loadBalancerClass" }} - loadBalancerClass: {{ .Values.service.loadBalancerClass }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} -{{- with .Values.service.internalTrafficPolicy }} - internalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} -{{- if not (eq .Values.service.clusterIP "") }} - clusterIP: {{ .Values.service.clusterIP }} -{{- end }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index c88afeadd3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.schema.json deleted file mode 100644 index 739a67b775..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.schema.json +++ /dev/null @@ -1,353 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.yaml deleted file mode 100644 index 9975f92851..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/gateway/values.yaml +++ /dev/null @@ -1,202 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - # Set to a specific ClusterIP, or "" for automatic assignment - clusterIP: "" - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # The PodDisruptionBudget can be only enabled if autoscaling is enabled - # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} - - # When enabled, a default NetworkPolicy for gateways will be created - global: - networkPolicy: - enabled: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/Chart.yaml deleted file mode 100644 index 86d16f2284..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.1 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.28.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/README.md deleted file mode 100644 index 44f7b1d8ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index bc15ee3c31..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 6e3102e4c8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,318 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/injection-template.yaml deleted file mode 100644 index ba656bd7f8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,549 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 8a34ea8a8c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,407 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 0d07ea7f4c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,82 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: -{{- $profile := default "" .Values.profile }} -{{- if (eq $profile "ambient") }} - * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ - * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ -{{- else }} - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ -{{- end }} - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} -{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} -{{- fail "pilotCertProvider=kubernetes is not supported" }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index 042c92538d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9ab43b5bf0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index 3280c96b54..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,216 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 0ca21b9576..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 45943d3839..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-values.yaml deleted file mode 100644 index dcd1e3530c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap-values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - annotations: - kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - original-values: |- -{{ .Values._original | toPrettyJson | indent 4 }} -{{- $_ := unset $.Values "_original" }} - merged-values: |- -{{ .Values | toPrettyJson | indent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a24ff9ee24..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,113 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 15107e745c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,314 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/gateway-class-configmap.yaml deleted file mode 100644 index 9f7cdb01da..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/gateway-class-configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{ range $key, $value := .Values.gatewayClasses }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} - namespace: {{ $.Release.Namespace }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - gateway.istio.io/defaults-for-class: {{$key|quote}} - {{- include "istio.labels" $ | nindent 4 }} -data: -{{ range $kind, $overlay := $value }} - {{$kind}}: | -{{$overlay|toYaml|trim|indent 4}} -{{ end }} ---- -{{ end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index a5a6cf9ae8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" "env" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 26a6c8f00d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/networkpolicy.yaml deleted file mode 100644 index e844d5e5de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - policyTypes: - - Ingress - - Egress - ingress: - # Webhook from kube-apiserver - - from: [] - ports: - - protocol: TCP - port: 15017 - # xDS from potentially anywhere - - from: [] - ports: - - protocol: TCP - port: 15010 - - protocol: TCP - port: 15011 - - protocol: TCP - port: 15012 - - protocol: TCP - port: 8080 - - protocol: TCP - port: 15014 - # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) - egress: - - {} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index 0ac37d1cdf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 -{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index e0b0ff42a4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 624f00dce6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-endpointslices.yaml deleted file mode 100644 index e2f4ff03b6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-endpointslices.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: discovery.k8s.io/v1 -kind: EndpointSlice -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - {{- if .Release.Service }} - endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }} - {{- end }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -addressType: IPv4 -endpoints: -- addresses: - - {{ .Values.global.remotePilotAddress }} -ports: -- port: 15012 - name: tcp-istiod - protocol: TCP -- port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index ab14497bac..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/role.yaml deleted file mode 100644 index 8abe608b66..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 731964f04d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/service.yaml deleted file mode 100644 index c3aade8a49..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index ee40eedf81..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 838d9fbaf7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 6903b29b50..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzy_descope_legacy.yaml deleted file mode 100644 index 73202418ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/values.yaml deleted file mode 100644 index e7c198a710..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.28.1 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/Chart.yaml deleted file mode 100644 index 33252c1b3d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.1 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/values.yaml deleted file mode 100644 index e7c198a710..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/revisiontags/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.28.1 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/Chart.yaml deleted file mode 100644 index 45347caab9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.1 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.28.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/README.md deleted file mode 100644 index 72ea6892e5..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 244f59db06..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/_helpers.tpl deleted file mode 100644 index 46a7a0b79d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/_helpers.tpl +++ /dev/null @@ -1 +0,0 @@ -{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index b10e99cfa4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,212 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.network }} - - name: NETWORK - value: {{ .Values.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 18291716bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }} -{{- if (eq (.Values.platform | default "") "openshift") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "ztunnel.release-name" . }} -subjects: -- kind: ServiceAccount - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/resourcequota.yaml deleted file mode 100644 index d33c9fe137..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/resourcequota.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/serviceaccount.yaml deleted file mode 100644 index e1146f3920..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/values.yaml deleted file mode 100644 index d49aba1e1d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/ztunnel/values.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.28.1 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/cni-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/cni-1.28.1.tgz.etag deleted file mode 100644 index 5c3eac5f35..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/cni-1.28.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -cd216a48dd11d6d2a8b8a5b626c4135c diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/commit deleted file mode 100644 index 450a687b2d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/commit +++ /dev/null @@ -1 +0,0 @@ -1.28.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/gateway-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/gateway-1.28.1.tgz.etag deleted file mode 100644 index f0958f6ffd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/gateway-1.28.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -aa1fffd54212764d07ed8b53120466d4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/istiod-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/istiod-1.28.1.tgz.etag deleted file mode 100644 index a2ec0dd7b6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/istiod-1.28.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -46d3d78d4021ca730051fe389d19ccc8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/ambient.yaml deleted file mode 100644 index 71ea784a80..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/default.yaml deleted file mode 100644 index 8f1ef19676..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/default.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true - ztunnel: - resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/demo.yaml deleted file mode 100644 index 53c4b41633..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/demo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/empty.yaml deleted file mode 100644 index 4477cb1fe1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/empty.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: sailoperator.io/v1 -kind: Istio -spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift-ambient.yaml deleted file mode 100644 index 76edf00cd8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift-ambient.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift.yaml deleted file mode 100644 index 41492660fe..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/openshift.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/preview.yaml deleted file mode 100644 index 59d545c840..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/remote.yaml deleted file mode 100644 index 54c65c8ba9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/remote.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The remote profile is used to configure a mesh cluster without a locally deployed control plane. -# Only the injector mutating webhook configuration is installed. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/stable.yaml deleted file mode 100644 index 285feba244..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/profiles/stable.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/ztunnel-1.28.1.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/ztunnel-1.28.1.tgz.etag deleted file mode 100644 index 05736d7616..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/ztunnel-1.28.1.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -7e182d4fa644f5d1441bf46643460739 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/base-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/base-1.28.2.tgz.etag deleted file mode 100644 index cd7bf68d9b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/base-1.28.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -a451d9ebf87f9cd7f1a9ccb9d99208f0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/Chart.yaml deleted file mode 100644 index caf6d26a1d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.2 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.28.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/README.md deleted file mode 100644 index ae8f6d5b0e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/NOTES.txt deleted file mode 100644 index f12616f578..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml deleted file mode 100644 index 30049df989..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml deleted file mode 100644 index dcd16e964f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index bb7a74ff48..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This singleton service account aggregates reader permissions for the revisions in a given cluster -# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, -# as otherwise compromising the token for this SA would give you access to *every* installed revision. -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/values.yaml deleted file mode 100644 index 8353c57d6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/base/values.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - base: - # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. - # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. - # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. - excludedCRDs: [] - # Helm (as of V3) does not support upgrading CRDs, because it is not universally - # safe for them to support this. - # Istio as a project enforces certain backwards-compat guarantees that allow us - # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs - # as standard K8S resources in Helm, and disable Helm's CRD management. See also: - # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts - enableCRDTemplates: true - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # Validation webhook caBundle value. Useful when running pilot with a well known cert - validationCABundle: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" - experimental: - stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/Chart.yaml deleted file mode 100644 index 192d1773be..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.2 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.28.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/README.md deleted file mode 100644 index f7e5cbd379..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istio-cni -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Ambient - -To enable ambient, you can use the ambient profile: `--set profile=ambient`. - -#### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -### GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/NOTES.txt deleted file mode 100644 index fb35525b99..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/_helpers.tpl deleted file mode 100644 index 73cc17b2f6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/_helpers.tpl +++ /dev/null @@ -1,8 +0,0 @@ -{{- define "name" -}} - istio-cni -{{- end }} - - -{{- define "istio-tag" -}} - {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrole.yaml deleted file mode 100644 index 51af4ce7ff..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrole.yaml +++ /dev/null @@ -1,84 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] -{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -{{- end }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-repair-role - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["watch", "get", "list"] -{{- if .Values.repair.repairPods }} -{{- /* No privileges needed*/}} -{{- else if .Values.repair.deletePods }} - - apiGroups: [""] - resources: ["pods"] - verbs: ["delete"] -{{- else if .Values.repair.labelPods }} - - apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-ambient - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - resourceNames: ["{{ template "name" . }}-node"] - verbs: ["get"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrolebinding.yaml deleted file mode 100644 index 60e3c28be8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-repair-rolebinding - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-repair-role -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-ambient - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-ambient -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 98bc60ac07..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 6d1dda2902..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,252 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} - {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/network-attachment-definition.yaml deleted file mode 100644 index 37ef7c3e6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/network-attachment-definition.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if eq .Values.provider "multus" }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: {{ template "name" . }} - namespace: default - labels: - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/resourcequota.yaml deleted file mode 100644 index 2e0be5ab40..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/resourcequota.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ template "name" . }}-resource-quota - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/serviceaccount.yaml deleted file mode 100644 index 17c8e64a9d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzy_descope_legacy.yaml deleted file mode 100644 index a9584ac29f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/values.yaml deleted file mode 100644 index c2273d89f5..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/cni/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Additional labels to apply on the daemonset level - daemonSetLabels: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Additional labels to apply on the pod level - podLabels: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.28.2 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/Chart.yaml deleted file mode 100644 index c4d6c29618..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.2 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.28.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/README.md deleted file mode 100644 index 6344859a22..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/NOTES.txt deleted file mode 100644 index fd0142911a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index e5a0a9b3c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,40 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{- define "gateway.labels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if and (ne $key "app") (ne $key "istio") }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} -istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} -{{- end }} - -{{/* -Keep sidecar injection labels together -https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy -*/}} -{{- define "gateway.sidecarInjectionLabels" -}} -sidecar.istio.io/inject: "true" -{{- with .Values.revision }} -istio.io/rev: {{ . | quote }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/hpa.yaml deleted file mode 100644 index 64ecb6a4cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/networkpolicy.yaml deleted file mode 100644 index ea2fab97b3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "gateway.name" . }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Gateway" - istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} - release: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "gateway.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - ingress: - # Status/health check port - - from: [] - ports: - - protocol: TCP - port: 15021 - # Metrics endpoints for monitoring/prometheus - - from: [] - ports: - - protocol: TCP - port: 15020 - - protocol: TCP - port: 15090 - # Main gateway traffic ports -{{- if .Values.service.ports }} -{{- range .Values.service.ports }} - - from: [] - ports: - - protocol: {{ .protocol | default "TCP" }} - port: {{ .targetPort | default .port }} -{{- end }} -{{- end }} - egress: - # Allow all egress (gateways need to reach external services, istiod, and other cluster services) - - {} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/role.yaml deleted file mode 100644 index 3d16079632..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/service.yaml deleted file mode 100644 index f555e6c632..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if hasKey .Values.service "loadBalancerClass" }} - loadBalancerClass: {{ .Values.service.loadBalancerClass }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} -{{- with .Values.service.internalTrafficPolicy }} - internalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} -{{- if not (eq .Values.service.clusterIP "") }} - clusterIP: {{ .Values.service.clusterIP }} -{{- end }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index c88afeadd3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.schema.json deleted file mode 100644 index 739a67b775..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.schema.json +++ /dev/null @@ -1,353 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.yaml deleted file mode 100644 index 9975f92851..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/gateway/values.yaml +++ /dev/null @@ -1,202 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - # Set to a specific ClusterIP, or "" for automatic assignment - clusterIP: "" - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # The PodDisruptionBudget can be only enabled if autoscaling is enabled - # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} - - # When enabled, a default NetworkPolicy for gateways will be created - global: - networkPolicy: - enabled: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/Chart.yaml deleted file mode 100644 index 34b7ec7aa6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.2 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.28.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/README.md deleted file mode 100644 index 44f7b1d8ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index bc15ee3c31..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 6e3102e4c8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,318 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/injection-template.yaml deleted file mode 100644 index ba656bd7f8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,549 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 8a34ea8a8c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,407 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 7feed59a36..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,405 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- if eq .ControllerLabel "istio.io-eastwest-controller" }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{ $network }}" - {{- end }} - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 0d07ea7f4c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,82 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: -{{- $profile := default "" .Values.profile }} -{{- if (eq $profile "ambient") }} - * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ - * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ -{{- else }} - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ -{{- end }} - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} -{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} -{{- fail "pilotCertProvider=kubernetes is not supported" }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index 042c92538d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9ab43b5bf0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index 3280c96b54..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,216 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 0ca21b9576..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 45943d3839..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-values.yaml deleted file mode 100644 index dcd1e3530c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap-values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - annotations: - kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - original-values: |- -{{ .Values._original | toPrettyJson | indent 4 }} -{{- $_ := unset $.Values "_original" }} - merged-values: |- -{{ .Values | toPrettyJson | indent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a24ff9ee24..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,113 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 15107e745c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,314 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/gateway-class-configmap.yaml deleted file mode 100644 index 9f7cdb01da..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/gateway-class-configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{ range $key, $value := .Values.gatewayClasses }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} - namespace: {{ $.Release.Namespace }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - gateway.istio.io/defaults-for-class: {{$key|quote}} - {{- include "istio.labels" $ | nindent 4 }} -data: -{{ range $kind, $overlay := $value }} - {{$kind}}: | -{{$overlay|toYaml|trim|indent 4}} -{{ end }} ---- -{{ end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index a5a6cf9ae8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" "env" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 26a6c8f00d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/networkpolicy.yaml deleted file mode 100644 index e844d5e5de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - policyTypes: - - Ingress - - Egress - ingress: - # Webhook from kube-apiserver - - from: [] - ports: - - protocol: TCP - port: 15017 - # xDS from potentially anywhere - - from: [] - ports: - - protocol: TCP - port: 15010 - - protocol: TCP - port: 15011 - - protocol: TCP - port: 15012 - - protocol: TCP - port: 8080 - - protocol: TCP - port: 15014 - # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) - egress: - - {} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index 0ac37d1cdf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 -{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index e0b0ff42a4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 624f00dce6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-endpointslices.yaml deleted file mode 100644 index e2f4ff03b6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-endpointslices.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: discovery.k8s.io/v1 -kind: EndpointSlice -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - {{- if .Release.Service }} - endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }} - {{- end }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -addressType: IPv4 -endpoints: -- addresses: - - {{ .Values.global.remotePilotAddress }} -ports: -- port: 15012 - name: tcp-istiod - protocol: TCP -- port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index ab14497bac..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/role.yaml deleted file mode 100644 index 8abe608b66..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 731964f04d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/service.yaml deleted file mode 100644 index c3aade8a49..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index ee40eedf81..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 838d9fbaf7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 6903b29b50..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzy_descope_legacy.yaml deleted file mode 100644 index 73202418ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/values.yaml deleted file mode 100644 index b6c13bf43e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/istiod/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.28.2 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/Chart.yaml deleted file mode 100644 index 3e1c166f51..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.2 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/values.yaml deleted file mode 100644 index b6c13bf43e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/revisiontags/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.28.2 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/Chart.yaml deleted file mode 100644 index 8678090017..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.2 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.28.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/README.md deleted file mode 100644 index 72ea6892e5..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 244f59db06..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/_helpers.tpl deleted file mode 100644 index 46a7a0b79d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/_helpers.tpl +++ /dev/null @@ -1 +0,0 @@ -{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index b10e99cfa4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,212 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.network }} - - name: NETWORK - value: {{ .Values.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 18291716bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }} -{{- if (eq (.Values.platform | default "") "openshift") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "ztunnel.release-name" . }} -subjects: -- kind: ServiceAccount - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/resourcequota.yaml deleted file mode 100644 index d33c9fe137..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/resourcequota.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/serviceaccount.yaml deleted file mode 100644 index e1146f3920..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/values.yaml deleted file mode 100644 index a3ae5e7edf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/charts/ztunnel/values.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.28.2 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/cni-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/cni-1.28.2.tgz.etag deleted file mode 100644 index 74ab39357b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/cni-1.28.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -d6a48ca4cd966b435a0517b2006312c8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/commit deleted file mode 100644 index bf4df28efc..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/commit +++ /dev/null @@ -1 +0,0 @@ -1.28.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/gateway-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/gateway-1.28.2.tgz.etag deleted file mode 100644 index 6034648ad8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/gateway-1.28.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -463bbd84d9bf1ba34b6550b054f543d8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/istiod-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/istiod-1.28.2.tgz.etag deleted file mode 100644 index 9fc37e115f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/istiod-1.28.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -02466bd34e6fdcdacbfb4e925e72ba51 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/ambient.yaml deleted file mode 100644 index 71ea784a80..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/default.yaml deleted file mode 100644 index 8f1ef19676..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/default.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true - ztunnel: - resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/demo.yaml deleted file mode 100644 index 53c4b41633..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/demo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/empty.yaml deleted file mode 100644 index 4477cb1fe1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/empty.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: sailoperator.io/v1 -kind: Istio -spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift-ambient.yaml deleted file mode 100644 index 76edf00cd8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift-ambient.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift.yaml deleted file mode 100644 index 41492660fe..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/openshift.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/preview.yaml deleted file mode 100644 index 59d545c840..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/remote.yaml deleted file mode 100644 index 54c65c8ba9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/remote.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The remote profile is used to configure a mesh cluster without a locally deployed control plane. -# Only the injector mutating webhook configuration is installed. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/stable.yaml deleted file mode 100644 index 285feba244..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/profiles/stable.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/ztunnel-1.28.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/ztunnel-1.28.2.tgz.etag deleted file mode 100644 index 8f088c28c3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.2/ztunnel-1.28.2.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -9091d2b23f4401c30063ade1fd73a7d2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/base-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/base-1.28.3.tgz.etag deleted file mode 100644 index d425be4008..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/base-1.28.3.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -e96f57338a9da3e1c3e1b08a768607c4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/Chart.yaml deleted file mode 100644 index a3d44a4238..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.3 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.28.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/README.md deleted file mode 100644 index ae8f6d5b0e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/NOTES.txt deleted file mode 100644 index f12616f578..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml deleted file mode 100644 index 30049df989..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml deleted file mode 100644 index dcd16e964f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index bb7a74ff48..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This singleton service account aggregates reader permissions for the revisions in a given cluster -# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, -# as otherwise compromising the token for this SA would give you access to *every* installed revision. -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/values.yaml deleted file mode 100644 index 8353c57d6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/base/values.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - base: - # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. - # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. - # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. - excludedCRDs: [] - # Helm (as of V3) does not support upgrading CRDs, because it is not universally - # safe for them to support this. - # Istio as a project enforces certain backwards-compat guarantees that allow us - # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs - # as standard K8S resources in Helm, and disable Helm's CRD management. See also: - # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts - enableCRDTemplates: true - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # Validation webhook caBundle value. Useful when running pilot with a well known cert - validationCABundle: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" - experimental: - stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/Chart.yaml deleted file mode 100644 index 61996e2b20..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.3 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.28.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/README.md deleted file mode 100644 index f7e5cbd379..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istio-cni -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Ambient - -To enable ambient, you can use the ambient profile: `--set profile=ambient`. - -#### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -### GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/NOTES.txt deleted file mode 100644 index fb35525b99..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/_helpers.tpl deleted file mode 100644 index 73cc17b2f6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/_helpers.tpl +++ /dev/null @@ -1,8 +0,0 @@ -{{- define "name" -}} - istio-cni -{{- end }} - - -{{- define "istio-tag" -}} - {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrole.yaml deleted file mode 100644 index 51af4ce7ff..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrole.yaml +++ /dev/null @@ -1,84 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] -{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -{{- end }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-repair-role - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["watch", "get", "list"] -{{- if .Values.repair.repairPods }} -{{- /* No privileges needed*/}} -{{- else if .Values.repair.deletePods }} - - apiGroups: [""] - resources: ["pods"] - verbs: ["delete"] -{{- else if .Values.repair.labelPods }} - - apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-ambient - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - resourceNames: ["{{ template "name" . }}-node"] - verbs: ["get"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrolebinding.yaml deleted file mode 100644 index 60e3c28be8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-repair-rolebinding - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-repair-role -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-ambient - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-ambient -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 98bc60ac07..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 6d1dda2902..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,252 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} - {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: '1' - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/network-attachment-definition.yaml deleted file mode 100644 index 37ef7c3e6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/network-attachment-definition.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if eq .Values.provider "multus" }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: {{ template "name" . }} - namespace: default - labels: - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/resourcequota.yaml deleted file mode 100644 index 2e0be5ab40..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/resourcequota.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ template "name" . }}-resource-quota - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/serviceaccount.yaml deleted file mode 100644 index 17c8e64a9d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzy_descope_legacy.yaml deleted file mode 100644 index a9584ac29f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/values.yaml deleted file mode 100644 index a7b72fe037..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/cni/values.yaml +++ /dev/null @@ -1,192 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Additional labels to apply on the daemonset level - daemonSetLabels: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Additional labels to apply on the pod level - podLabels: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This will eventually be enabled by default - reconcileIptablesOnStartup: false - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.28.3 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/Chart.yaml deleted file mode 100644 index d41b4ee178..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.3 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.28.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/README.md deleted file mode 100644 index 6344859a22..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/NOTES.txt deleted file mode 100644 index fd0142911a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index e5a0a9b3c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,40 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{- define "gateway.labels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if and (ne $key "app") (ne $key "istio") }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} -istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} -{{- end }} - -{{/* -Keep sidecar injection labels together -https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy -*/}} -{{- define "gateway.sidecarInjectionLabels" -}} -sidecar.istio.io/inject: "true" -{{- with .Values.revision }} -istio.io/rev: {{ . | quote }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/hpa.yaml deleted file mode 100644 index 64ecb6a4cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/networkpolicy.yaml deleted file mode 100644 index ea2fab97b3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "gateway.name" . }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Gateway" - istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} - release: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "gateway.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - ingress: - # Status/health check port - - from: [] - ports: - - protocol: TCP - port: 15021 - # Metrics endpoints for monitoring/prometheus - - from: [] - ports: - - protocol: TCP - port: 15020 - - protocol: TCP - port: 15090 - # Main gateway traffic ports -{{- if .Values.service.ports }} -{{- range .Values.service.ports }} - - from: [] - ports: - - protocol: {{ .protocol | default "TCP" }} - port: {{ .targetPort | default .port }} -{{- end }} -{{- end }} - egress: - # Allow all egress (gateways need to reach external services, istiod, and other cluster services) - - {} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/role.yaml deleted file mode 100644 index 3d16079632..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index c88afeadd3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/Chart.yaml deleted file mode 100644 index c1e3222117..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.3 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.28.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/README.md deleted file mode 100644 index 44f7b1d8ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index bc15ee3c31..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,274 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 6e3102e4c8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,318 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/injection-template.yaml deleted file mode 100644 index ba656bd7f8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,549 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: istio-ca-crl - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 8a34ea8a8c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,407 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 7feed59a36..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,405 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- if eq .ControllerLabel "istio.io-eastwest-controller" }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{ $network }}" - {{- end }} - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 0d07ea7f4c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,82 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: -{{- $profile := default "" .Values.profile }} -{{- if (eq $profile "ambient") }} - * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ - * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ -{{- else }} - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ -{{- end }} - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} -{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} -{{- fail "pilotCertProvider=kubernetes is not supported" }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index 042c92538d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9ab43b5bf0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index 3280c96b54..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,216 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 0ca21b9576..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 45943d3839..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-values.yaml deleted file mode 100644 index dcd1e3530c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap-values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - annotations: - kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - original-values: |- -{{ .Values._original | toPrettyJson | indent 4 }} -{{- $_ := unset $.Values "_original" }} - merged-values: |- -{{ .Values | toPrettyJson | indent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a24ff9ee24..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,113 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 15107e745c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,314 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/gateway-class-configmap.yaml deleted file mode 100644 index 9f7cdb01da..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/gateway-class-configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{ range $key, $value := .Values.gatewayClasses }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} - namespace: {{ $.Release.Namespace }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - gateway.istio.io/defaults-for-class: {{$key|quote}} - {{- include "istio.labels" $ | nindent 4 }} -data: -{{ range $kind, $overlay := $value }} - {{$kind}}: | -{{$overlay|toYaml|trim|indent 4}} -{{ end }} ---- -{{ end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index a5a6cf9ae8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" "env" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 26a6c8f00d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/networkpolicy.yaml deleted file mode 100644 index e844d5e5de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - policyTypes: - - Ingress - - Egress - ingress: - # Webhook from kube-apiserver - - from: [] - ports: - - protocol: TCP - port: 15017 - # xDS from potentially anywhere - - from: [] - ports: - - protocol: TCP - port: 15010 - - protocol: TCP - port: 15011 - - protocol: TCP - port: 15012 - - protocol: TCP - port: 8080 - - protocol: TCP - port: 15014 - # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) - egress: - - {} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index 0ac37d1cdf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 -{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index e0b0ff42a4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 624f00dce6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-endpointslices.yaml deleted file mode 100644 index e2f4ff03b6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-endpointslices.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: discovery.k8s.io/v1 -kind: EndpointSlice -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - {{- if .Release.Service }} - endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }} - {{- end }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -addressType: IPv4 -endpoints: -- addresses: - - {{ .Values.global.remotePilotAddress }} -ports: -- port: 15012 - name: tcp-istiod - protocol: TCP -- port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index ab14497bac..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/role.yaml deleted file mode 100644 index 8abe608b66..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 731964f04d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/service.yaml deleted file mode 100644 index c3aade8a49..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index ee40eedf81..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 838d9fbaf7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 6903b29b50..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzy_descope_legacy.yaml deleted file mode 100644 index 73202418ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/values.yaml deleted file mode 100644 index 875383ea24..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/istiod/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.28.3 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/Chart.yaml deleted file mode 100644 index a7e92aab5c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.3 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/values.yaml deleted file mode 100644 index 875383ea24..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/revisiontags/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.28.3 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/Chart.yaml deleted file mode 100644 index d09d91961e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.28.3 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.28.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/README.md deleted file mode 100644 index 72ea6892e5..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index d04117bfc0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index 8fe80112bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index 209157cccf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 244f59db06..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/_helpers.tpl deleted file mode 100644 index 46a7a0b79d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/_helpers.tpl +++ /dev/null @@ -1 +0,0 @@ -{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index b10e99cfa4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,212 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.network }} - - name: NETWORK - value: {{ .Values.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 18291716bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }} -{{- if (eq (.Values.platform | default "") "openshift") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "ztunnel.release-name" . }} -subjects: -- kind: ServiceAccount - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/resourcequota.yaml deleted file mode 100644 index d33c9fe137..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/resourcequota.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/serviceaccount.yaml deleted file mode 100644 index e1146f3920..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/values.yaml deleted file mode 100644 index 873922159a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/ztunnel/values.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.28.3 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/cni-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/cni-1.28.3.tgz.etag deleted file mode 100644 index 45b88f41b7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/cni-1.28.3.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -2fdce22e41dcf85b354a52ac22b38545 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/commit deleted file mode 100644 index ac786b6454..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/commit +++ /dev/null @@ -1 +0,0 @@ -1.28.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/gateway-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/gateway-1.28.3.tgz.etag deleted file mode 100644 index 6d14181372..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/gateway-1.28.3.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -87531546798e63fea2011e05bf043b92 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/istiod-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/istiod-1.28.3.tgz.etag deleted file mode 100644 index a2304b67bb..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/istiod-1.28.3.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -80b4ccabd73127664f7e5eb5ee7ae6c9 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/ambient.yaml deleted file mode 100644 index 71ea784a80..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/default.yaml deleted file mode 100644 index 8f1ef19676..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/default.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true - ztunnel: - resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/demo.yaml deleted file mode 100644 index 53c4b41633..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/demo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/empty.yaml deleted file mode 100644 index 4477cb1fe1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/empty.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: sailoperator.io/v1 -kind: Istio -spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift-ambient.yaml deleted file mode 100644 index 76edf00cd8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift-ambient.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift.yaml deleted file mode 100644 index 41492660fe..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/openshift.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/preview.yaml deleted file mode 100644 index 59d545c840..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/remote.yaml deleted file mode 100644 index 54c65c8ba9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/remote.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The remote profile is used to configure a mesh cluster without a locally deployed control plane. -# Only the injector mutating webhook configuration is installed. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/stable.yaml deleted file mode 100644 index 285feba244..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/profiles/stable.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/ztunnel-1.28.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/ztunnel-1.28.3.tgz.etag deleted file mode 100644 index c12377522e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/ztunnel-1.28.3.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -f1b915596d91081396743c9ab367bdf0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/base-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/base-1.28.4.tgz.etag index 22a24c9418..a239f7b721 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/base-1.28.4.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/base-1.28.4.tgz.etag @@ -1 +1 @@ -6063b3c35164b02d805576aa9a764742 +d5cb2b82bfceb6abede183cf809b6e4cad17dbbcf1ebb8c720617d6156a3ec46 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..fde1723fbf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/poddisruptionbudget.yaml index 0ac37d1cdf..c8c55822f6 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/poddisruptionbudget.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/poddisruptionbudget.yaml @@ -38,4 +38,4 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b397c64c82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/networkpolicy.yaml @@ -0,0 +1,62 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: ztunnel + app.kubernetes.io/name: ztunnel + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Ztunnel" + release: {{ .Release.Name }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: ztunnel + policyTypes: + - Ingress + - Egress + ingress: + # Readiness probe + - from: [] + ports: + - protocol: TCP + port: 15021 + # Monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 # Metrics + # Admin interface + - from: [] + ports: + - protocol: TCP + port: 15000 # Admin interface + # HBONE traffic + - from: [] + ports: + - protocol: TCP + port: 15008 + # Outbound traffic endpoint + - from: [] + ports: + - protocol: TCP + port: 15001 + # Traffic endpoint for inbound plaintext + - from: [] + ports: + - protocol: TCP + port: 15006 + # DNS Captures + - from: [ ] + ports: + - protocol: TCP + port: 15053 + - protocol: UDP + port: 15053 + egress: + # Allow all egress + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/values.yaml index 618f23551d..e08b1cb6b1 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/values.yaml +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/values.yaml @@ -17,6 +17,11 @@ _internal_defaults_do_not_set: # corresponds to the networks in the map of mesh networks. network: "" + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. resourceName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/cni-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/cni-1.28.4.tgz.etag index 0ab84bb9c8..a13884374a 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/cni-1.28.4.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/cni-1.28.4.tgz.etag @@ -1 +1 @@ -bc40f538b846bd578df46f3318898e36 +34ae11794707a24fd2ba92d251a4f764cc8d8c7a3a699dfe39e0e406d762b72f diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/gateway-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/gateway-1.28.4.tgz.etag index 89372815a3..53b95b0f5c 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/gateway-1.28.4.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/gateway-1.28.4.tgz.etag @@ -1 +1 @@ -75fbe99ff3604d9af5e216f7267e872f +049e5b9e6dfea566263352e32b390f2fc10ce95611dfd5cd1cd299edd5baeb30 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/istiod-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/istiod-1.28.4.tgz.etag index beccf8e135..cc2c4a189e 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/istiod-1.28.4.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/istiod-1.28.4.tgz.etag @@ -1 +1 @@ -2f7aeb4c63cd1d899efb9fe7b8cdd71e +befe1b4bf7b1b79ba4e2959c75c7f275db4b7ccab26d2a7815f285f4a6a298ce diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/ztunnel-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/ztunnel-1.28.4.tgz.etag index 65bda0d04e..ebb6e675c2 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/ztunnel-1.28.4.tgz.etag +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/ztunnel-1.28.4.tgz.etag @@ -1 +1 @@ -9c587ddf90690816bb9ed30fb105cf35 +999660af34067b12abeb373ddeae4bb21d9cf76a2edb0d3317461e0f1c94c63c diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/base-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/base-1.28.5.tgz.etag new file mode 100644 index 0000000000..05fe8d1588 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/base-1.28.5.tgz.etag @@ -0,0 +1 @@ +94e4517c649096b883ec44253087c10bf991937f49f17801f3d2c8bed2c86512 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/Chart.yaml new file mode 100644 index 0000000000..638f39d3fb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/base/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.27.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-compatibility-version-1.27.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.27.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/reader-serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/reader-serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/base/values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/Chart.yaml new file mode 100644 index 0000000000..ee867525c1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/cni/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.27.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-compatibility-version-1.27.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.27.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/configmap-cni.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/configmap-cni.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/configmap-cni.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/daemonset.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/daemonset.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/daemonset.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/network-attachment-definition.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/network-attachment-definition.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..fde1723fbf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/cni/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/values.yaml new file mode 100644 index 0000000000..1cc5fe663c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/values.yaml @@ -0,0 +1,194 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist + istioOwnedCNIConfigFileName: "" + istioOwnedCNIConfig: false + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Additional labels to apply on the daemonset level + daemonSetLabels: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Additional labels to apply on the pod level + podLabels: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # If ambient is enabled, this selector will be used to identify the ambient-enabled pods + enablementSelectors: + - podSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + - podSelector: + matchExpressions: + - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } + namespaceSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + # If enabled, the CNI agent will retry checking if a pod is ambient enabled when there are errors + enableAmbientDetectionRetry: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.28.5 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..45616fb5af --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.27.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-compatibility-version-1.27.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.27.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/deployment.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/gateway/templates/deployment.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/deployment.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/hpa.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/hpa.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/hpa.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/networkpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/networkpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/networkpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/poddisruptionbudget.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/templates/service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/gateway/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.schema.json similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.schema.json rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.schema.json diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.3/charts/gateway/values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..c6cc1e4bef --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/gateway-injection-template.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/gateway-injection-template.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/gateway-injection-template.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.7/charts/istiod/files/grpc-agent.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-agent.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/grpc-simple.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-simple.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..84463bb43b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/injection-template.yaml @@ -0,0 +1,549 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} +{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{ if .Values.global.nativeNftables -}} + - "--native-nftables" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{- if .Values.global.proxy.seccompProfile }} + seccompProfile: + {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or $tproxy $capNetBindService -}} + add: + {{ if $tproxy -}} + - NET_ADMIN + {{- end }} + {{ if $capNetBindService -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or $tproxy $capNetBindService -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + {{- if .Values.global.proxy.seccompProfile }} + seccompProfile: + {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/istio/crl + name: istio-ca-crl + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + - name: istio-ca-crl + configMap: + name: istio-ca-crl + optional: true + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/kube-gateway.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/kube-gateway.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/kube-gateway.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/istiod/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.27.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-compatibility-version-1.27.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.27.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/waypoint.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.1/charts/istiod/files/waypoint.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/waypoint.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/autoscale.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/autoscale.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/autoscale.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-jwks.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-jwks.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-jwks.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-values.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap-values.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-values.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/deployment.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/deployment.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/deployment.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/gateway-class-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/gateway-class-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/gateway-class-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/istiod-injector-configmap.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/mutatingwebhook.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/mutatingwebhook.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/mutatingwebhook.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/networkpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/networkpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/networkpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..c8c55822f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,41 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrole.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrole.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrole.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/reader-clusterrolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-endpointslices.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-endpointslices.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-endpointslices.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/remote-istiod-service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-mwc.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-mwc.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-mwc.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-svc.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/revision-tags-svc.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-svc.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/role.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/role.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/role.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/rolebinding.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/rolebinding.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/rolebinding.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/service.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/service.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/service.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingadmissionpolicy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingadmissionpolicy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingadmissionpolicy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/validatingwebhookconfiguration.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingwebhookconfiguration.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzy_descope_legacy.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzy_descope_legacy.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzy_descope_legacy.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/istiod/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/values.yaml new file mode 100644 index 0000000000..4a199a17c7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/values.yaml @@ -0,0 +1,583 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.28.5 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + seccompProfile: {} + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..6a26a2af49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/revisiontags/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.27.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-compatibility-version-1.27.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.27.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-mwc.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-mwc.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-mwc.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-svc.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/revision-tags-svc.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-svc.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/revisiontags/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..4a199a17c7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/values.yaml @@ -0,0 +1,583 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.28.5 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + seccompProfile: {} + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..9ce6eabd7d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/README.md similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/README.md rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/README.md diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.1/charts/ztunnel/files/profile-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.27.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-compatibility-version-1.27.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.27.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-gke.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-gke.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-gke.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3d.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3d.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3d.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-k3s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-microk8s.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-microk8s.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-microk8s.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-minikube.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-minikube.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-minikube.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-platform-openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/files/profile-stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/NOTES.txt rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/NOTES.txt diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/_helpers.tpl rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/_helpers.tpl diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/daemonset.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/daemonset.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/daemonset.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b397c64c82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/networkpolicy.yaml @@ -0,0 +1,62 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: ztunnel + app.kubernetes.io/name: ztunnel + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Ztunnel" + release: {{ .Release.Name }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: ztunnel + policyTypes: + - Ingress + - Egress + ingress: + # Readiness probe + - from: [] + ports: + - protocol: TCP + port: 15021 + # Monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 # Metrics + # Admin interface + - from: [] + ports: + - protocol: TCP + port: 15000 # Admin interface + # HBONE traffic + - from: [] + ports: + - protocol: TCP + port: 15008 + # Outbound traffic endpoint + - from: [] + ports: + - protocol: TCP + port: 15001 + # Traffic endpoint for inbound plaintext + - from: [] + ports: + - protocol: TCP + port: 15006 + # DNS Captures + - from: [ ] + ports: + - protocol: TCP + port: 15053 + - protocol: UDP + port: 15053 + egress: + # Allow all egress + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/rbac.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/rbac.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/resourcequota.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/resourcequota.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/resourcequota.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/serviceaccount.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/serviceaccount.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/serviceaccount.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/charts/ztunnel/templates/zzz_profile.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/zzz_profile.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..8ffcbd582b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/values.yaml @@ -0,0 +1,141 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.28.5 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Same as `global.network`, but will override it if set. + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Tolerations for the ztunnel pod + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/cni-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/cni-1.28.5.tgz.etag new file mode 100644 index 0000000000..08f171399e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/cni-1.28.5.tgz.etag @@ -0,0 +1 @@ +781602c5085c9cdbb3d35fa52319f6fca977c7bdec1ed37f0ff66ee4a7b739f7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/commit new file mode 100644 index 0000000000..82a5f3bba2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/commit @@ -0,0 +1 @@ +1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/gateway-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/gateway-1.28.5.tgz.etag new file mode 100644 index 0000000000..faabccd307 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/gateway-1.28.5.tgz.etag @@ -0,0 +1 @@ +1bccc53c64f89276f6af41eb5980656123a3ca81e584730168e057b6e9910de6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/istiod-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/istiod-1.28.5.tgz.etag new file mode 100644 index 0000000000..e48b765ade --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/istiod-1.28.5.tgz.etag @@ -0,0 +1 @@ +07ffb66c3b59bf676775a8109ff85c7fa6c17a983c90e25d24fa0dca5f1efc99 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/default.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/default.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/default.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/demo.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/demo.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/demo.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/empty.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/empty.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/empty.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift-ambient.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift-ambient.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift-ambient.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/openshift.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/preview.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/preview.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/preview.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/remote.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/remote.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/remote.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/stable.yaml similarity index 100% rename from vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.0/profiles/stable.yaml rename to vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/stable.yaml diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/ztunnel-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/ztunnel-1.28.5.tgz.etag new file mode 100644 index 0000000000..f9a3a19635 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/ztunnel-1.28.5.tgz.etag @@ -0,0 +1 @@ +2166e1d3f10acd0deec0c1fa0e00e08197252eaf4d587607012b9b33b5e46989 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/base-1.29.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/base-1.29.0.tgz.etag deleted file mode 100644 index fc5084f6f6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/base-1.29.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -fe5cd9b8020bad4e08cd0ded968f1c14 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/Chart.yaml deleted file mode 100644 index 7203f5068c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.29.0 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.29.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/README.md deleted file mode 100644 index ae8f6d5b0e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/NOTES.txt deleted file mode 100644 index f12616f578..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml deleted file mode 100644 index 30049df989..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml deleted file mode 100644 index dcd16e964f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index bb7a74ff48..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This singleton service account aggregates reader permissions for the revisions in a given cluster -# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, -# as otherwise compromising the token for this SA would give you access to *every* installed revision. -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/values.yaml deleted file mode 100644 index 8353c57d6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/base/values.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - base: - # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. - # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. - # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. - excludedCRDs: [] - # Helm (as of V3) does not support upgrading CRDs, because it is not universally - # safe for them to support this. - # Istio as a project enforces certain backwards-compat guarantees that allow us - # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs - # as standard K8S resources in Helm, and disable Helm's CRD management. See also: - # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts - enableCRDTemplates: true - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # Validation webhook caBundle value. Useful when running pilot with a well known cert - validationCABundle: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" - experimental: - stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/Chart.yaml deleted file mode 100644 index 47f9a24881..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.29.0 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.29.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/README.md deleted file mode 100644 index f7e5cbd379..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istio-cni -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Ambient - -To enable ambient, you can use the ambient profile: `--set profile=ambient`. - -#### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -### GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/NOTES.txt deleted file mode 100644 index fb35525b99..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/_helpers.tpl deleted file mode 100644 index 73cc17b2f6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/_helpers.tpl +++ /dev/null @@ -1,8 +0,0 @@ -{{- define "name" -}} - istio-cni -{{- end }} - - -{{- define "istio-tag" -}} - {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/clusterrole.yaml deleted file mode 100644 index 51af4ce7ff..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/clusterrole.yaml +++ /dev/null @@ -1,84 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] -{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -{{- end }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-repair-role - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["watch", "get", "list"] -{{- if .Values.repair.repairPods }} -{{- /* No privileges needed*/}} -{{- else if .Values.repair.deletePods }} - - apiGroups: [""] - resources: ["pods"] - verbs: ["delete"] -{{- else if .Values.repair.labelPods }} - - apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-ambient - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - resourceNames: ["{{ template "name" . }}-node"] - verbs: ["get"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/clusterrolebinding.yaml deleted file mode 100644 index 60e3c28be8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-repair-rolebinding - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-repair-role -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-ambient - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-ambient -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 0be2784012..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,252 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} - {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Time to allow for graceful CNI cleanup during pod termination. - # Configurable via values.yaml to prevent race conditions during rolling updates. - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/network-attachment-definition.yaml deleted file mode 100644 index 37ef7c3e6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/network-attachment-definition.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if eq .Values.provider "multus" }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: {{ template "name" . }} - namespace: default - labels: - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/resourcequota.yaml deleted file mode 100644 index 2e0be5ab40..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/resourcequota.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ template "name" . }}-resource-quota - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/serviceaccount.yaml deleted file mode 100644 index 17c8e64a9d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/zzy_descope_legacy.yaml deleted file mode 100644 index a9584ac29f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/values.yaml deleted file mode 100644 index 87242b5b18..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/cni/values.yaml +++ /dev/null @@ -1,204 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Additional labels to apply on the daemonset level - daemonSetLabels: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Additional labels to apply on the pod level - podLabels: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This is enabled by default - reconcileIptablesOnStartup: true - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - # If enabled, the CNI agent will retry checking if a pod is ambient enabled when there are errors - enableAmbientDetectionRetry: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Sets the per-pod terminationGracePeriodSeconds setting. - # A higher value gives more time for CNI cleanup during rolling updates, - # preventing "failed to find plugin istio-cni" errors. - # Default K8s value is 30 seconds. - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - - # Default tag for Istio images. - tag: 1.29.0 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/Chart.yaml deleted file mode 100644 index 88c8550b33..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.29.0 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.29.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/README.md deleted file mode 100644 index 6344859a22..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/NOTES.txt deleted file mode 100644 index fd0142911a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index e5a0a9b3c2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,40 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{- define "gateway.labels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if and (ne $key "app") (ne $key "istio") }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} -istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} -{{- end }} - -{{/* -Keep sidecar injection labels together -https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy -*/}} -{{- define "gateway.sidecarInjectionLabels" -}} -sidecar.istio.io/inject: "true" -{{- with .Values.revision }} -istio.io/rev: {{ . | quote }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 1d8f93a472..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/hpa.yaml deleted file mode 100644 index 64ecb6a4cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/networkpolicy.yaml deleted file mode 100644 index ea2fab97b3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "gateway.name" . }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Gateway" - istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} - release: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "gateway.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - ingress: - # Status/health check port - - from: [] - ports: - - protocol: TCP - port: 15021 - # Metrics endpoints for monitoring/prometheus - - from: [] - ports: - - protocol: TCP - port: 15020 - - protocol: TCP - port: 15090 - # Main gateway traffic ports -{{- if .Values.service.ports }} -{{- range .Values.service.ports }} - - from: [] - ports: - - protocol: {{ .protocol | default "TCP" }} - port: {{ .targetPort | default .port }} -{{- end }} -{{- end }} - egress: - # Allow all egress (gateways need to reach external services, istiod, and other cluster services) - - {} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/role.yaml deleted file mode 100644 index 3d16079632..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/service.yaml deleted file mode 100644 index d172364d0e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if hasKey .Values.service "loadBalancerClass" }} - loadBalancerClass: {{ .Values.service.loadBalancerClass }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} -{{- with .Values.service.internalTrafficPolicy }} - internalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} -{{- if not (eq .Values.service.clusterIP "") }} - clusterIP: {{ .Values.service.clusterIP }} -{{- end }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} - {{- with .Values.service.selectorLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index c88afeadd3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/values.schema.json deleted file mode 100644 index 553de55439..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/values.schema.json +++ /dev/null @@ -1,363 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "enabled": { - "description": "Field used as a condition when this chart is included as a dependency. It's allowed in the schema, but the chart itself does not read it. For more information see: https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags.", - "type": "boolean" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "selectorLabels": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/values.yaml deleted file mode 100644 index d463634ec4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/gateway/values.yaml +++ /dev/null @@ -1,204 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - # Set to a specific ClusterIP, or "" for automatic assignment - clusterIP: "" - # Additional labels to add to the service selector - selectorLabels: {} - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # The PodDisruptionBudget can be only enabled if autoscaling is enabled - # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} - - # When enabled, a default NetworkPolicy for gateways will be created - global: - networkPolicy: - enabled: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/Chart.yaml deleted file mode 100644 index a8c675796d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.29.0 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.29.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/README.md deleted file mode 100644 index 44f7b1d8ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/agentgateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/agentgateway.yaml deleted file mode 100644 index ca55352712..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/agentgateway.yaml +++ /dev/null @@ -1,306 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-agentgateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-agentgateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start # allows binding to 80 and 443 without root - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: agentgateway - {{- if contains "/" (annotation .ObjectMeta `gateway.istio.io/agentgatewayImage` .Values.global.agentgateway.image) }} - image: "{{ annotation .ObjectMeta `gateway.istio.io/agentgatewayImage` .Values.global.agentgateway.image }}" - {{- else }} - image: "{{ .AgentgatewayImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "10101" }} - runAsGroup: {{ .ProxyGID | default "10101" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - args: - - --config - - '{}' - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: GATEWAY - value: {{.Name|quote}} - - name: RUST_BACKTRACE - value: "1" - - name: CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: NETWORK - value: {{.|quote}} - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - - name: XDS_ADDRESS - value: {{ .ProxyConfig.DiscoveryAddress | quote }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - mountPath: /var/run/secrets/xds - name: istiod-ca-cert - - mountPath: /var/run/secrets/xds-tokens - name: istio-token - - mountPath: /tmp - name: tmp - volumes: - - emptyDir: {} - name: tmp - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: xds-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index 3b7c71cfaf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,277 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 3b9240e36c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,318 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/injection-template.yaml deleted file mode 100644 index 82ef167172..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,552 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: {{ .Values.pilot.crlConfigMapName | default "istio-ca-crl" }} - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index 8d909beb83..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,410 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 644d8780c3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,408 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- if eq .ControllerLabel "istio.io-eastwest-controller" }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{ $network }}" - {{- end }} - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 0d07ea7f4c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,82 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: -{{- $profile := default "" .Values.profile }} -{{- if (eq $profile "ambient") }} - * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ - * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ -{{- else }} - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ -{{- end }} - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} -{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} -{{- fail "pilotCertProvider=kubernetes is not supported" }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index 042c92538d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9ab43b5bf0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index 3280c96b54..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,216 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - - xlistenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 0ca21b9576..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 45943d3839..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap-values.yaml deleted file mode 100644 index dcd1e3530c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap-values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - annotations: - kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - original-values: |- -{{ .Values._original | toPrettyJson | indent 4 }} -{{- $_ := unset $.Values "_original" }} - merged-values: |- -{{ .Values | toPrettyJson | indent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a24ff9ee24..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,113 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 455c0ab980..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,313 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} -{{- if .Values.crlConfigMapName }} - - name: PILOT_CRL_CONFIGMAP - value: "{{ .Values.crlConfigMapName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/gateway-class-configmap.yaml deleted file mode 100644 index 9f7cdb01da..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/gateway-class-configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{ range $key, $value := .Values.gatewayClasses }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} - namespace: {{ $.Release.Namespace }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - gateway.istio.io/defaults-for-class: {{$key|quote}} - {{- include "istio.labels" $ | nindent 4 }} -data: -{{ range $kind, $overlay := $value }} - {{$kind}}: | -{{$overlay|toYaml|trim|indent 4}} -{{ end }} ---- -{{ end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 73288ab974..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,87 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" "env" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "agentgateway") }} - agentgateway: | -{{ .Files.Get "files/agentgateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 26a6c8f00d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/networkpolicy.yaml deleted file mode 100644 index e844d5e5de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - policyTypes: - - Ingress - - Egress - ingress: - # Webhook from kube-apiserver - - from: [] - ports: - - protocol: TCP - port: 15017 - # xDS from potentially anywhere - - from: [] - ports: - - protocol: TCP - port: 15010 - - protocol: TCP - port: 15011 - - protocol: TCP - port: 15012 - - protocol: TCP - port: 8080 - - protocol: TCP - port: 15014 - # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) - egress: - - {} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index 0ac37d1cdf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 -{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index af795f1f5a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 624f00dce6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/remote-istiod-endpointslices.yaml deleted file mode 100644 index e2f4ff03b6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/remote-istiod-endpointslices.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: discovery.k8s.io/v1 -kind: EndpointSlice -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - {{- if .Release.Service }} - endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }} - {{- end }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -addressType: IPv4 -endpoints: -- addresses: - - {{ .Values.global.remotePilotAddress }} -ports: -- port: 15012 - name: tcp-istiod - protocol: TCP -- port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index ab14497bac..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/role.yaml deleted file mode 100644 index 8abe608b66..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 731964f04d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/service.yaml deleted file mode 100644 index c3aade8a49..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index ee40eedf81..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 838d9fbaf7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 6903b29b50..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/zzy_descope_legacy.yaml deleted file mode 100644 index 73202418ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/values.yaml deleted file mode 100644 index 506f0ba965..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/istiod/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.29.0 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/Chart.yaml deleted file mode 100644 index 6cdf50e73a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.29.0 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/values.yaml deleted file mode 100644 index 506f0ba965..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/revisiontags/values.yaml +++ /dev/null @@ -1,583 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-release - # Default tag for Istio images. - tag: 1.29.0 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/Chart.yaml deleted file mode 100644 index 55bd2b9090..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.29.0 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.29.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/README.md deleted file mode 100644 index 72ea6892e5..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 244f59db06..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/_helpers.tpl deleted file mode 100644 index 46a7a0b79d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/_helpers.tpl +++ /dev/null @@ -1 +0,0 @@ -{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 2c85867a08..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,229 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.network }} - - name: NETWORK - value: {{ .Values.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- if .Values.peerCaCrl.enabled }} - - name: CRL_PATH - value: "/var/run/secrets/istio/crl/ca-crl.pem" - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- if .Values.peerCaCrl.enabled }} - - mountPath: /var/run/secrets/istio/crl - name: crl-volume - readOnly: true - {{- end }} - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- if .Values.peerCaCrl.enabled }} - # Optional CRL volume - mounts istio-ca-crl ConfigMap if it exists - - name: crl-volume - configMap: - name: istio-ca-crl - optional: true - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 18291716bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }} -{{- if (eq (.Values.platform | default "") "openshift") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "ztunnel.release-name" . }} -subjects: -- kind: ServiceAccount - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/resourcequota.yaml deleted file mode 100644 index d33c9fe137..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/resourcequota.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/serviceaccount.yaml deleted file mode 100644 index e1146f3920..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/values.yaml deleted file mode 100644 index 8bc5c2be42..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/charts/ztunnel/values.yaml +++ /dev/null @@ -1,146 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-release - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.29.0 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - global: - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # Certificate Revocation List (CRL) support for plugged-in CAs. - # When enabled, ztunnel will check certificates against the CRL - peerCaCrl: - enabled: false - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/cni-1.29.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/cni-1.29.0.tgz.etag deleted file mode 100644 index 2001a15505..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/cni-1.29.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -29e783db95c922f372c48d7dbba4669f diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/commit deleted file mode 100644 index 5e57fb8955..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/commit +++ /dev/null @@ -1 +0,0 @@ -1.29.0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/gateway-1.29.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/gateway-1.29.0.tgz.etag deleted file mode 100644 index 451d7da9af..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/gateway-1.29.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -902de661697f558161c56a9ff81ec980 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/istiod-1.29.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/istiod-1.29.0.tgz.etag deleted file mode 100644 index b7f8d58779..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/istiod-1.29.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -555ed5791277a0bd916203b4869874be diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/ambient.yaml deleted file mode 100644 index 71ea784a80..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/default.yaml deleted file mode 100644 index 8f1ef19676..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/default.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true - ztunnel: - resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/demo.yaml deleted file mode 100644 index 53c4b41633..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/demo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/empty.yaml deleted file mode 100644 index 4477cb1fe1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/empty.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: sailoperator.io/v1 -kind: Istio -spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/openshift-ambient.yaml deleted file mode 100644 index 76edf00cd8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/openshift-ambient.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/openshift.yaml deleted file mode 100644 index 41492660fe..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/openshift.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/preview.yaml deleted file mode 100644 index 59d545c840..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/remote.yaml deleted file mode 100644 index 54c65c8ba9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/remote.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The remote profile is used to configure a mesh cluster without a locally deployed control plane. -# Only the injector mutating webhook configuration is installed. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/stable.yaml deleted file mode 100644 index 285feba244..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/profiles/stable.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/ztunnel-1.29.0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/ztunnel-1.29.0.tgz.etag deleted file mode 100644 index 5d57b9e22e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.29.0/ztunnel-1.29.0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -01a7408aa19c62ff3b088f7068d2f55a diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/base-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/base-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag deleted file mode 100644 index e09a1d9ee8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/base-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -6d23c52d32c4f9493c440e9b922b461c diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/Chart.yaml deleted file mode 100644 index aa48a635ea..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/README.md deleted file mode 100644 index ae8f6d5b0e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/NOTES.txt deleted file mode 100644 index f12616f578..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml deleted file mode 100644 index 30049df989..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml deleted file mode 100644 index dcd16e964f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index bb7a74ff48..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This singleton service account aggregates reader permissions for the revisions in a given cluster -# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, -# as otherwise compromising the token for this SA would give you access to *every* installed revision. -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/values.yaml deleted file mode 100644 index 8353c57d6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/base/values.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - base: - # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. - # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. - # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. - excludedCRDs: [] - # Helm (as of V3) does not support upgrading CRDs, because it is not universally - # safe for them to support this. - # Istio as a project enforces certain backwards-compat guarantees that allow us - # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs - # as standard K8S resources in Helm, and disable Helm's CRD management. See also: - # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts - enableCRDTemplates: true - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # Validation webhook caBundle value. Useful when running pilot with a well known cert - validationCABundle: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" - experimental: - stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/Chart.yaml deleted file mode 100644 index 441ed247ba..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/README.md deleted file mode 100644 index f7e5cbd379..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istio-cni -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Ambient - -To enable ambient, you can use the ambient profile: `--set profile=ambient`. - -#### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -### GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/NOTES.txt deleted file mode 100644 index fb35525b99..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/_helpers.tpl deleted file mode 100644 index 4185bfc79d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/_helpers.tpl +++ /dev/null @@ -1,33 +0,0 @@ -{{- define "name" -}} - istio-cni -{{- end }} - - -{{- define "istio-tag" -}} - {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} -{{- end }} - -{{/* -Render resource requirements, omitting any nil values. -*/}} -{{- define "istio-cni.resources" -}} -{{- range $key := list "limits" "requests" }} - {{- $resources := index $ $key }} - {{- if $resources }} - {{- $hasValues := false }} - {{- range $name, $value := $resources }} - {{- if $value }} - {{- $hasValues = true }} - {{- end }} - {{- end }} - {{- if $hasValues }} -{{ $key }}: - {{- range $name, $value := $resources }} - {{- if $value }} - {{ $name }}: {{ $value }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/clusterrole.yaml deleted file mode 100644 index 51af4ce7ff..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/clusterrole.yaml +++ /dev/null @@ -1,84 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] -{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -{{- end }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-repair-role - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["watch", "get", "list"] -{{- if .Values.repair.repairPods }} -{{- /* No privileges needed*/}} -{{- else if .Values.repair.deletePods }} - - apiGroups: [""] - resources: ["pods"] - verbs: ["delete"] -{{- else if .Values.repair.labelPods }} - - apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-ambient - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - resourceNames: ["{{ template "name" . }}-node"] - verbs: ["get"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/clusterrolebinding.yaml deleted file mode 100644 index 60e3c28be8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-repair-rolebinding - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-repair-role -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-ambient - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-ambient -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 9b5dd47925..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} - AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} - ENABLE_AMBIENT_DETECTION_RETRY: {{ .Values.ambient.enableAmbientDetectionRetry | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} - {{- if .Values.istioOwnedCNIConfig }} - ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} - NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} - {{- with .Values.env }} - {{- range $key, $val := . }} - {{ $key }}: "{{ $val }}" - {{- end }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/daemonset.yaml deleted file mode 100644 index d7b206e359..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,252 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -# -# $detectedBinDir exists to support a GKE-specific platform override, -# and is deprecated in favor of using the explicit `gke` platform profile. -{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -{{- if .Values.cniBinDir }} -{{ $detectedBinDir = .Values.cniBinDir }} -{{- end }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - # Note that this is templated but evaluates to a fixed name - # which the CNI plugin may fall back onto in some failsafe scenarios. - # if this name is changed, CNI plugin logic that checks for this name - # format should also be updated. - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} - {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Add AppArmor annotation - # This is required to avoid conflicts with AppArmor profiles which block certain - # privileged pod capabilities. - # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the - # securityContext which is otherwise preferred. - container.apparmor.security.beta.kubernetes.io/install-cni: unconfined - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet -{{- end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Time to allow for graceful CNI cleanup during pod termination. - # Configurable via values.yaml to prevent race conditions during rolling updates. - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: false - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so explicitly set it to false and - # add capabilities based on feature. - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_PTRACE is required for repair and ambient mode to describe - # the pod's network namespace. - - SYS_PTRACE - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod network - # namespaces. There does not appear to be a more granular capability for this. - - SYS_ADMIN - # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose - # the typical ability to read/write to folders owned by others. - # This can cause problems if the hostPath mounts we use, which we require write access into, - # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. - - DAC_OVERRIDE -{{- if .Values.seLinuxOptions }} -{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} - seLinuxOptions: -{{ toYaml . | trim | indent 14 }} -{{- end }} -{{- end }} -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} - - name: ALLOW_SWITCH_TO_HOST_NS - value: "true" - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ include "istio-cni.resources" .Values.resources | trim | indent 12 }} -{{- else }} -{{ include "istio-cni.resources" .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ $detectedBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/network-attachment-definition.yaml deleted file mode 100644 index 37ef7c3e6d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/network-attachment-definition.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if eq .Values.provider "multus" }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: {{ template "name" . }} - namespace: default - labels: - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/resourcequota.yaml deleted file mode 100644 index 2e0be5ab40..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/resourcequota.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ template "name" . }}-resource-quota - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/serviceaccount.yaml deleted file mode 100644 index 17c8e64a9d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/zzy_descope_legacy.yaml deleted file mode 100644 index a9584ac29f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/values.yaml deleted file mode 100644 index 7dfe82aa6a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/cni/values.yaml +++ /dev/null @@ -1,204 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI-and-platform specific path defaults. - # These may need to be set to platform-specific values, consult - # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` - cniBinDir: /opt/cni/bin - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - cniNetnsDir: "/var/run/netns" - - # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist - istioOwnedCNIConfigFileName: "" - istioOwnedCNIConfig: false - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Additional labels to apply on the daemonset level - daemonSetLabels: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Additional labels to apply on the pod level - podLabels: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # If ambient is enabled, this selector will be used to identify the ambient-enabled pods - enablementSelectors: - - podSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - - podSelector: - matchExpressions: - - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } - namespaceSelector: - matchLabels: {istio.io/dataplane-mode: ambient} - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: true - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. - # This is enabled by default - reconcileIptablesOnStartup: true - # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on - shareHostNetworkNamespace: false - # If enabled, the CNI agent will retry checking if a pod is ambient enabled when there are errors - enableAmbientDetectionRetry: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. - seLinuxOptions: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - - # Sets the per-pod terminationGracePeriodSeconds setting. - # A higher value gives more time for CNI cleanup during rolling updates, - # preventing "failed to find plugin istio-cni" errors. - # Default K8s value is 30 seconds. - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing - - # Default tag for Istio images. - tag: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # A `key: value` mapping of environment variables to add to the pod - env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/Chart.yaml deleted file mode 100644 index c0bb3b74d1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/README.md deleted file mode 100644 index 6344859a22..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/NOTES.txt deleted file mode 100644 index fd0142911a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index 9d3cfa2ce8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,65 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{- define "gateway.labels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if and (ne $key "app") (ne $key "istio") }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} -istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} -{{- end }} - -{{/* -Keep sidecar injection labels together -https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy -*/}} -{{- define "gateway.sidecarInjectionLabels" -}} -sidecar.istio.io/inject: "true" -{{- with .Values.revision }} -istio.io/rev: {{ . | quote }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} - -{{/* -Render resource requirements, omitting any nil values. -*/}} -{{- define "gateway.resources" -}} -{{- range $key := list "limits" "requests" }} - {{- $resources := index $ $key }} - {{- if $resources }} - {{- $hasValues := false }} - {{- range $name, $value := $resources }} - {{- if $value }} - {{- $hasValues = true }} - {{- end }} - {{- end }} - {{- if $hasValues }} -{{ $key }}: - {{- range $name, $value := $resources }} - {{- if $value }} - {{ $name }}: {{ $value }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 6daec4927b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,145 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} - replicas: {{ .Values.replicaCount }} - {{- end }} - {{- end }} - {{- with .Values.strategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.minReadySeconds }} - minReadySeconds: {{ . }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq (.Values.platform | default "") "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- include "gateway.resources" .Values.resources | trim | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.lifecycle }} - lifecycle: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.additionalContainers }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/hpa.yaml deleted file mode 100644 index 64ecb6a4cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/networkpolicy.yaml deleted file mode 100644 index ea2fab97b3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "gateway.name" . }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Gateway" - istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} - release: {{ .Release.Name }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "gateway.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - ingress: - # Status/health check port - - from: [] - ports: - - protocol: TCP - port: 15021 - # Metrics endpoints for monitoring/prometheus - - from: [] - ports: - - protocol: TCP - port: 15020 - - protocol: TCP - port: 15090 - # Main gateway traffic ports -{{- if .Values.service.ports }} -{{- range .Values.service.ports }} - - from: [] - ports: - - protocol: {{ .protocol | default "TCP" }} - port: {{ .targetPort | default .port }} -{{- end }} -{{- end }} - egress: - # Allow all egress (gateways need to reach external services, istiod, and other cluster services) - - {} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/role.yaml deleted file mode 100644 index 3d16079632..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/service.yaml deleted file mode 100644 index d172364d0e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} - {{- if hasKey .Values.service "loadBalancerClass" }} - loadBalancerClass: {{ .Values.service.loadBalancerClass }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} -{{- with .Values.service.internalTrafficPolicy }} - internalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} -{{- if not (eq .Values.service.clusterIP "") }} - clusterIP: {{ .Values.service.clusterIP }} -{{- end }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} - {{- with .Values.service.selectorLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index c88afeadd3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/values.schema.json deleted file mode 100644 index 553de55439..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/values.schema.json +++ /dev/null @@ -1,363 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "$defs": { - "values": { - "type": "object", - "additionalProperties": false, - "properties": { - "_internal_defaults_do_not_set": { - "type": "object" - }, - "global": { - "type": "object" - }, - "enabled": { - "description": "Field used as a condition when this chart is included as a dependency. It's allowed in the schema, but the chart itself does not read it. For more information see: https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags.", - "type": "boolean" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "envVarFrom": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { "type": "string" }, - "valueFrom": { "type": "object" } - } - } - }, - "strategy": { - "type": "object" - }, - "minReadySeconds": { - "type": [ "null", "integer" ] - }, - "readinessProbe": { - "type": [ "null", "object" ] - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": ["object", "null"], - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "defaultRevision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "profile": { - "type": "string" - }, - "platform": { - "type": "string" - }, - "pilot": { - "type": "object" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "selectorLabels": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "initContainers": { - "type": "array", - "items": { "type": "object" } - }, - "additionalContainers": { - "type": "array", - "items": { "type": "object" } - }, - "priorityClassName": { - "type": "string" - }, - "lifecycle": { - "type": "object", - "properties": { - "postStart": { - "type": "object" - }, - "preStop": { - "type": "object" - } - } - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/values.yaml deleted file mode 100644 index d463634ec4..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/gateway/values.yaml +++ /dev/null @@ -1,204 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - # Set to a specific ClusterIP, or "" for automatic assignment - clusterIP: "" - # Additional labels to add to the service selector - selectorLabels: {} - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - ## Set LoadBalancer class (only for LoadBalancers). - # loadBalancerClass: "" - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Use envVarFrom to define full environment variable entries with complex sources, - # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. - # - # Example: - # envVarFrom: - # - name: EXAMPLE_SECRET - # valueFrom: - # secretKeyRef: - # name: example-name - # key: example-key - envVarFrom: [] - - # Deployment Update strategy - strategy: {} - - # Sets the Deployment minReadySeconds value - minReadySeconds: - - # Optionally configure a custom readinessProbe. By default the control plane - # automatically injects the readinessProbe. If you wish to override that - # behavior, you may define your own readinessProbe here. - readinessProbe: {} - - # Labels to apply to all resources - labels: - # By default, don't enroll gateways into the ambient dataplane - "istio.io/dataplane-mode": none - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # The PodDisruptionBudget can be only enabled if autoscaling is enabled - # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - # Sets the per-pod terminationGracePeriodSeconds setting. - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Inject initContainers into the Gateway Pods. - initContainers: [] - - # Inject additional containers into the Gateway Pods. - additionalContainers: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Configure the lifecycle hooks for the gateway. See - # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. - lifecycle: {} - - # When enabled, a default NetworkPolicy for gateways will be created - global: - networkPolicy: - enabled: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/Chart.yaml deleted file mode 100644 index d133b04f64..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/README.md deleted file mode 100644 index 44f7b1d8ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/agentgateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/agentgateway.yaml deleted file mode 100644 index 8ed6d8fbbd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/agentgateway.yaml +++ /dev/null @@ -1,306 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-agentgateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-agentgateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start # allows binding to 80 and 443 without root - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: agentgateway - {{- if contains "/" (annotation .ObjectMeta `gateway.istio.io/agentgatewayImage` .Values.global.agentgateway.image) }} - image: "{{ annotation .ObjectMeta `gateway.istio.io/agentgatewayImage` .Values.global.agentgateway.image }}" - {{- else }} - image: "{{ .AgentgatewayImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml (omitNil .Values.global.proxy.resources) | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "10101" }} - runAsGroup: {{ .ProxyGID | default "10101" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - args: - - --config - - '{}' - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: GATEWAY - value: {{.Name|quote}} - - name: RUST_BACKTRACE - value: "1" - - name: CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: NETWORK - value: {{.|quote}} - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - - name: XDS_ADDRESS - value: {{ .ProxyConfig.DiscoveryAddress | quote }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - mountPath: /var/run/secrets/xds - name: istiod-ca-cert - - mountPath: /var/run/secrets/xds-tokens - name: istio-token - - mountPath: /tmp - name: tmp - volumes: - - emptyDir: {} - name: tmp - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: xds-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index 3b7c71cfaf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,277 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: - istio.io/rev: {{ .Revision | default "default" | quote }} - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" - {{- end }} - {{- end }} -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 1918935d68..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,318 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml (omitNil .Values.global.proxy.resources) | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/injection-template.yaml deleted file mode 100644 index 4b7762e3e1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,557 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml (omitNil .Values.global.proxy.resources) | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} -{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} -{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - {{- $noInitContainer := and - (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) - (not $nativeSidecar) }} - {{ if $noInitContainer }} - initContainers: [] - {{ else -}} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" - {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{ if .Values.global.nativeNftables -}} - - "--native-nftables" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} - runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} - runAsNonRoot: true - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - {{ end -}} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ . }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- $otelResAttrs := otelResourceAttributes .MeshConfig .ObjectMeta.Annotations .ObjectMeta.Labels .DeploymentMeta.Namespace .Spec.Containers }} - {{- if $otelResAttrs }} - - name: OTEL_RESOURCE_ATTRIBUTES - value: "{{ $otelResAttrs }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or $tproxy $capNetBindService -}} - add: - {{ if $tproxy -}} - - NET_ADMIN - {{- end }} - {{ if $capNetBindService -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - {{ if or $tproxy $capNetBindService -}} - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 1337 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{- end }} - {{- end }} - {{- if .Values.global.proxy.seccompProfile }} - seccompProfile: - {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/istio/crl - name: istio-ca-crl - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - - name: istio-ca-crl - configMap: - name: {{ .Values.pilot.crlConfigMapName | default "istio-ca-crl" }} - optional: true - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index f281176357..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,410 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml (omitNil .Values.global.proxy.resources) | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 3470c6153c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,408 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - "gateway.istio.io/managed" .ControllerLabel - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: "1" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- if eq .ControllerLabel "istio.io-eastwest-controller" }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{ $network }}" - {{- end }} - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml (omitNil .Values.global.waypoint.resources) | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: istiod-ca-cert - {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{.DeploymentName | quote}} - maxReplicas: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.networking.k8s.io/gateway-class-name" .GatewayClass - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - gateway.networking.k8s.io/gateway-name: {{.Name|quote}} - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 0d07ea7f4c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,82 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: -{{- $profile := default "" .Values.profile }} -{{- if (eq $profile "ambient") }} - * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ - * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ -{{- else }} - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ -{{- end }} - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} -{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} -{{- fail "pilotCertProvider=kubernetes is not supported" }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index c64f6af543..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,48 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* -Render resource requirements, omitting any nil values. -*/}} -{{- define "istiod.resources" -}} -{{- range $key := list "limits" "requests" }} - {{- $resources := index $ $key }} - {{- if $resources }} - {{- $hasValues := false }} - {{- range $name, $value := $resources }} - {{- if $value }} - {{- $hasValues = true }} - {{- end }} - {{- end }} - {{- if $hasValues }} -{{ $key }}: - {{- range $name, $value := $resources }} - {{- if $value }} - {{ $name }}: {{ $value }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 9ab43b5bf0..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index 5e7b6554cb..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,216 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update", "patch"] - resources: - - authorizationpolicies/status - - destinationrules/status - - envoyfilters/status - - gateways/status - - peerauthentications/status - - proxyconfigs/status - - requestauthentications/status - - serviceentries/status - - sidecars/status - - telemetries/status - - virtualservices/status - - wasmplugins/status - - workloadentries/status - - workloadgroups/status -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status", "serviceentries/status" ] - - apiGroups: ["security.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "authorizationpolicies/status" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} -{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - - apiGroups: ["certificates.k8s.io"] - resources: ["clustertrustbundles"] - verbs: ["update", "create", "delete", "list", "watch", "get"] - - apiGroups: ["certificates.k8s.io"] - resources: ["signers"] - resourceNames: ["istio.io/istiod-ca"] - verbs: ["attest"] -{{- end }} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["gateway.networking.x-k8s.io"] - resources: - - xbackendtrafficpolicies/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - - listenersets/status - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools"] - verbs: ["get", "watch", "list"] - - apiGroups: ["inference.networking.k8s.io"] - resources: ["inferencepools/status"] - verbs: ["update", "patch"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: ["autoscaling"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "horizontalpodautoscalers" ] - - apiGroups: ["policy"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "poddisruptionbudgets" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 0ca21b9576..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index 45943d3839..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap-values.yaml deleted file mode 100644 index dcd1e3530c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap-values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - annotations: - kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - original-values: |- -{{ .Values._original | toPrettyJson | indent 4 }} -{{- $_ := unset $.Values "_original" }} - merged-values: |- -{{ .Values | toPrettyJson | indent 4 }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap.yaml deleted file mode 100644 index a24ff9ee24..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,113 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/deployment.yaml deleted file mode 100644 index b255ced930..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,317 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} - {{- if .Values.deploymentAnnotations }} - annotations: -{{ toYaml .Values.deploymentAnnotations | indent 4 }} - {{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- with .Values.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - name: http-debug - - containerPort: 15010 - protocol: TCP - name: grpc-xds - - containerPort: 15012 - protocol: TCP - name: tls-xds - - containerPort: 15017 - protocol: TCP - name: https-webhooks - - containerPort: 15014 - protocol: TCP - name: http-monitoring - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- with .Values.envVarFrom }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -{{- if .Values.taint.enabled }} - - name: PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS - value: "true" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} -{{- if .Values.global.trustBundleName }} - - name: PILOT_CA_CERT_CONFIGMAP - value: "{{ .Values.global.trustBundleName }}" -{{- end }} -{{- if .Values.crlConfigMapName }} - - name: PILOT_CRL_CONFIGMAP - value: "{{ .Values.crlConfigMapName }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - - name: PLATFORM - value: "{{ coalesce .Values.global.platform .Values.platform }}" - resources: -{{- if .Values.resources }} -{{ include "istiod.resources" .Values.resources | trim | indent 12 }} -{{- else }} -{{ include "istiod.resources" .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} - path: root-cert.pem - optional: true - {{- else }} - configMap: - name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} - defaultMode: 420 - optional: true - {{- end }} - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/gateway-class-configmap.yaml deleted file mode 100644 index 9f7cdb01da..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/gateway-class-configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{ range $key, $value := .Values.gatewayClasses }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} - namespace: {{ $.Release.Namespace }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - gateway.istio.io/defaults-for-class: {{$key|quote}} - {{- include "istio.labels" $ | nindent 4 }} -data: -{{ range $kind, $overlay := $value }} - {{$kind}}: | -{{$overlay|toYaml|trim|indent 4}} -{{ end }} ---- -{{ end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 73288ab974..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,87 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" "env" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "agentgateway") }} - agentgateway: | -{{ .Files.Get "files/agentgateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 26a6c8f00d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/networkpolicy.yaml deleted file mode 100644 index e844d5e5de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/networkpolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if (.Values.global.networkPolicy).enabled }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - policyTypes: - - Ingress - - Egress - ingress: - # Webhook from kube-apiserver - - from: [] - ports: - - protocol: TCP - port: 15017 - # xDS from potentially anywhere - - from: [] - ports: - - protocol: TCP - port: 15010 - - protocol: TCP - port: 15011 - - protocol: TCP - port: 15012 - - protocol: TCP - port: 8080 - - protocol: TCP - port: 15014 - # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) - egress: - - {} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index 0ac37d1cdf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 -{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- else if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - {{- if .Values.pdb.unhealthyPodEvictionPolicy }} - unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} - {{- end }} - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index af795f1f5a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.istiodRemote.enabled }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 624f00dce6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Created if cluster resources are not omitted -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/remote-istiod-endpointslices.yaml deleted file mode 100644 index e2f4ff03b6..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/remote-istiod-endpointslices.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -# if the remotePilotAddress is an IP addr -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: discovery.k8s.io/v1 -kind: EndpointSlice -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # This file is only used for remote `istiod` installs. - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - {{- if .Release.Service }} - endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }} - {{- end }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -addressType: IPv4 -endpoints: -- addresses: - - {{ .Values.global.remotePilotAddress }} -ports: -- port: 15012 - name: tcp-istiod - protocol: TCP -- port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/remote-istiod-service.yaml deleted file mode 100644 index ab14497bac..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/remote-istiod-service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# This file is only used for remote -{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} - # only primary `istiod` to xds and local `istiod` injection installs. - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/role.yaml deleted file mode 100644 index 8abe608b66..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 731964f04d..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/service.yaml deleted file mode 100644 index c3aade8a49..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Not created if istiod is running remotely -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} - {{- if .Values.trafficDistribution }} - trafficDistribution: {{ .Values.trafficDistribution }} - {{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index ee40eedf81..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} - {{- end }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 838d9fbaf7..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 6903b29b50..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -# Created if this is not a remote istiod, OR if it is and is also a config cluster -{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/zzy_descope_legacy.yaml deleted file mode 100644 index 73202418ca..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/values.yaml deleted file mode 100644 index 8b71dd8b82..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/istiod/values.yaml +++ /dev/null @@ -1,584 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - # When enabled, this automatically sets PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS environment variable to true in the istiod deployment. - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing - # Default tag for Istio images. - tag: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/Chart.yaml deleted file mode 100644 index d5c4908cbe..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -appVersion: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 -description: Helm chart for istio revision tags -name: revisiontags -sources: -- https://github.com/istio-ecosystem/sail-operator -version: 0.1.0 - diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/revision-tags-mwc.yaml deleted file mode 100644 index 556bb2f1e9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/revision-tags-mwc.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. -{{- $whv := dict -"revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} - -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} -{{- if not .Values.global.operatorManageWebhooks }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -{{- if $.Values.sidecarInjectorWebhookAnnotations }} - annotations: -{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} -{{- end }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/revision-tags-svc.yaml deleted file mode 100644 index 5c4826d23e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/revision-tags-svc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} -# Adapted from istio-discovery/templates/service.yaml -{{- range $tagName := .Values.revisionTags }} -apiVersion: v1 -kind: Service -metadata: - name: istiod-revision-tag-{{ $tagName }} - namespace: {{ $.Release.Namespace }} - {{- if $.Values.serviceAnnotations }} - annotations: -{{ toYaml $.Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - istio.io/tag: {{ $tagName }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ $.Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" $ | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne $.Values.revision "" }} - istio.io/rev: {{ $.Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if $.Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} - {{- end }} - {{- if $.Values.ipFamilies }} - ipFamilies: - {{- range $.Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/zzz_profile.yaml deleted file mode 100644 index 3d84956485..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/values.yaml deleted file mode 100644 index 8b71dd8b82..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/revisiontags/values.yaml +++ /dev/null @@ -1,584 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - envVarFrom: [] - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - # When enabled, this automatically sets PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS environment variable to true in the istiod deployment. - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - # Inject initContainers into the istiod pod - initContainers: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - sidecarInjectorWebhookAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - # Annotations to apply to the istiod deployment. - deploymentAnnotations: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - # Set this if you install ztunnel with a name different from the default. - trustedZtunnelName: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, - # and istiod itself will NOT be installed in this cluster - only the support resources necessary - # to utilize a remote instance. - enabled: false - - # If `true`, indicates that this cluster/install should consume a "local istiod" installation, - # local istiod inject sidecars - enabledLocalInjectorIstiod: false - - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing - # Default tag for Istio images. - tag: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # In order to use native nftable rules instead of iptable rules, set this flag to true. - nativeNftables: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - omitSidecarInjectorConfigMap: false - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - seccompProfile: {} - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. - # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. - forceApplyIptables: false - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Enable control of remote clusters. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - # If specified, affinity defines the scheduling constraints of waypoint pods. - affinity: {} - - # Topology Spread Constraints for the waypoint proxy. - topologySpreadConstraints: [] - - # Node labels for the waypoint proxy. - nodeSelector: {} - - # Tolerations for the waypoint proxy. - tolerations: [] - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} - - # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. - # For example: - # gatewayClasses: - # istio: - # service: - # spec: - # type: ClusterIP - # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. - gatewayClasses: {} - - pdb: - # -- Minimum available pods set in PodDisruptionBudget. - # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 - # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 - # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. - # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ - unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/Chart.yaml deleted file mode 100644 index 83fc4900af..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/README.md deleted file mode 100644 index 72ea6892e5..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view supported configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 495fbcd434..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" - serviceScopeConfigs: - - servicesSelector: - matchExpressions: - - key: istio.io/global - operator: In - values: ["true"] - scope: GLOBAL -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.25.yaml deleted file mode 100644 index 842aaf17de..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.25.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.25 - reconcileIptablesOnStartup: false - -ambient: - # 1.26 behavioral changes - shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.26.yaml deleted file mode 100644 index f30e143133..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.26.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.27 behavioral changes - ENABLE_NATIVE_SIDECARS: "false" - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.26 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.27.yaml deleted file mode 100644 index b842b0914c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.27.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.28 behavioral changes - DISABLE_SHADOW_HOST_SUFFIX: "false" - PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.27 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.28.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.28.yaml deleted file mode 100644 index 3d378691a2..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-compatibility-version-1.28.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.29 behavioral changes - DISABLE_TRACK_REMAINING_CB_METRICS: "false" - -cni: - ambient: - # 1.29 behavioral changes - reconcileIptablesOnStartup was false by default in 1.28 - reconcileIptablesOnStartup: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-demo.yaml deleted file mode 100644 index d6dc36dd0f..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-demo.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - - name: jaeger - opentelemetry: - port: 4317 - service: jaeger-collector.istio-system.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-gke.yaml deleted file mode 100644 index dfe8a7d741..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-gke.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work - resourceQuotas: - enabled: true -resourceQuotas: - enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-k3d.yaml deleted file mode 100644 index cd86d9ec58..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-k3d.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-k3s.yaml deleted file mode 100644 index 07820106d9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-k3s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d - cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-microk8s.yaml deleted file mode 100644 index 57d7f5e3cd..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-microk8s.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniConfDir: /var/snap/microk8s/current/args/cni-network - cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-minikube.yaml deleted file mode 100644 index fa9992e204..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-minikube.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -cni: - cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-openshift.yaml deleted file mode 100644 index 8ddc5e1654..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-platform-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" -seLinuxOptions: - type: spc_t -# Openshift requires privileged pods to run in kube-system -trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-remote.yaml deleted file mode 100644 index d17b9a801a..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-remote.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. -istiodRemote: - enabled: true -configMap: false -telemetry: - enabled: false -global: - # TODO BML maybe a different profile for a configcluster/revisit this - omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-stable.yaml deleted file mode 100644 index 358282e69b..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 244f59db06..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/_helpers.tpl deleted file mode 100644 index ecbc4d3404..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/_helpers.tpl +++ /dev/null @@ -1,26 +0,0 @@ -{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} - -{{/* -Render resource requirements, omitting any nil values. -*/}} -{{- define "ztunnel.resources" -}} -{{- range $key := list "limits" "requests" }} - {{- $resources := index $ $key }} - {{- if $resources }} - {{- $hasValues := false }} - {{- range $name, $value := $resources }} - {{- if $value }} - {{- $hasValues = true }} - {{- end }} - {{- end }} - {{- if $hasValues }} -{{ $key }}: - {{- range $name, $value := $resources }} - {{- if $value }} - {{ $name }}: {{ $value }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 520f797190..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,236 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: {{ include "ztunnel.release-name" . }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | trim | indent 8 }} -{{- end }} -{{- if .Values.dnsPolicy }} - dnsPolicy: {{ .Values.dnsPolicy }} -{{- end }} -{{- if .Values.dnsConfig }} - dnsConfig: -{{ toYaml .Values.dnsConfig | trim | indent 8 }} -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ include "ztunnel.resources" .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - {{- if .Values.network }} - - name: NETWORK - value: {{ .Values.network | quote }} - {{- end }} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: ZTUNNEL_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - divisor: "1" - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - {{- if .Values.peerCaCrl.enabled }} - - name: CRL_PATH - value: "/var/run/secrets/istio/crl/ca-crl.pem" - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- if .Values.peerCaCrl.enabled }} - - mountPath: /var/run/secrets/istio/crl - name: crl-volume - readOnly: true - {{- end }} - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} - projected: - sources: - - clusterTrustBundle: - name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} - path: root-cert.pem - {{- else }} - configMap: - name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} - {{- end }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- if .Values.peerCaCrl.enabled }} - # Optional CRL volume - mounts istio-ca-crl ConfigMap if it exists - - name: crl-volume - configMap: - name: istio-ca-crl - optional: true - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 18291716bf..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }} -{{- if (eq (.Values.platform | default "") "openshift") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "ztunnel.release-name" . }} - labels: - app: ztunnel - release: {{ include "ztunnel.release-name" . }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "ztunnel.release-name" . }} -subjects: -- kind: ServiceAccount - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/resourcequota.yaml deleted file mode 100644 index d33c9fe137..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/resourcequota.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} -{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/serviceaccount.yaml deleted file mode 100644 index e1146f3920..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: {{ include "ztunnel.release-name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 606c556697..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- if $.Values.defaults}} -{{ fail (cat - "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" - ($.Values.defaults | toYaml |nindent 4) -) }} -{{- end }} -{{- $defaults := $.Values._internal_defaults_do_not_set }} -{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} -{{- $profile := dict }} -{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" .) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} -{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown platform" .) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} -{{- end }} -{{- $x := set $.Values "_original" (deepCopy $.Values) }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/values.yaml deleted file mode 100644 index 3d153d710e..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/charts/ztunnel/values.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. -_internal_defaults_do_not_set: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-testing - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Same as `global.network`, but will override it if set. - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - global: - # When enabled, default NetworkPolicy resources will be created - networkPolicy: - enabled: false - - # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. - # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. - resourceName: "" - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Tolerations for the ztunnel pod - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # Certificate Revocation List (CRL) support for plugged-in CAs. - # When enabled, ztunnel will check certificates against the CRL - peerCaCrl: - enabled: false - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t - - # resourceScope controls what resources will be processed by helm. - # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. - # It can be one of: - # - all: all resources are processed - # - cluster: only cluster-scoped resources are processed - # - namespace: only namespace-scoped resources are processed - resourceScope: all - - # K8s DaemonSet update strategy. - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - - # DNS policy for the ztunnel pod - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - dnsPolicy: "" - - # DNS config for the ztunnel pod - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config - dnsConfig: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/cni-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/cni-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag deleted file mode 100644 index 7d6a881acb..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/cni-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -43a6342f938daede0a4993ae1cec439f diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/commit deleted file mode 100644 index c3aa9eaf6c..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/commit +++ /dev/null @@ -1 +0,0 @@ -a22c309148e944c8c73b4e2bec9a1c5a18f94bf0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/gateway-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/gateway-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag deleted file mode 100644 index ab8ea8f1da..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/gateway-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -a7a0532346afb52b911db38ff659dbbf diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/istiod-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/istiod-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag deleted file mode 100644 index 00bbf00eb3..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/istiod-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -e792ce1166bf7d8f598843c31db8ef81 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/ambient.yaml deleted file mode 100644 index 71ea784a80..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/default.yaml deleted file mode 100644 index 8f1ef19676..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/default.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true - ztunnel: - resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/demo.yaml deleted file mode 100644 index 53c4b41633..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/demo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/empty.yaml deleted file mode 100644 index 4477cb1fe1..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/empty.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: sailoperator.io/v1 -kind: Istio -spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/openshift-ambient.yaml deleted file mode 100644 index 76edf00cd8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/openshift-ambient.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: ambient - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/openshift.yaml deleted file mode 100644 index 41492660fe..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/openshift.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - global: - platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/preview.yaml deleted file mode 100644 index 59d545c840..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/remote.yaml deleted file mode 100644 index 54c65c8ba9..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/remote.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# The remote profile is used to configure a mesh cluster without a locally deployed control plane. -# Only the injector mutating webhook configuration is installed. -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/stable.yaml deleted file mode 100644 index 285feba244..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/profiles/stable.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1 -kind: Istio -spec: - values: - profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/ztunnel-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/ztunnel-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag deleted file mode 100644 index 458a65dff8..0000000000 --- a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.30-alpha.a22c3091/ztunnel-1.30-alpha.a22c309148e944c8c73b4e2bec9a1c5a18f94bf0.tgz.etag +++ /dev/null @@ -1 +0,0 @@ -269334788bb3e2b47d48834ea597fcbf diff --git a/vendor/istio.io/istio/pkg/slices/slices.go b/vendor/istio.io/istio/pkg/slices/slices.go index b7f29dd219..b6b13253c2 100644 --- a/vendor/istio.io/istio/pkg/slices/slices.go +++ b/vendor/istio.io/istio/pkg/slices/slices.go @@ -52,7 +52,7 @@ func EqualUnordered[E comparable](s1, s2 []E) bool { // EqualFunc returns false. Otherwise, the elements are compared in // increasing index order, and the comparison stops at the first index // for which eq returns false. -func EqualFunc[E1, E2 any](s1 []E1, s2 []E2, eq func(E1, E2) bool) bool { +func EqualFunc[E1, E2 comparable](s1 []E1, s2 []E2, eq func(E1, E2) bool) bool { return slices.EqualFunc(s1, s2, eq) } diff --git a/vendor/modules.txt b/vendor/modules.txt index eb61a5f942..ce139a0d1c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -462,8 +462,8 @@ github.com/imdario/mergo # github.com/inconshreveable/mousetrap v1.1.0 ## explicit; go 1.18 github.com/inconshreveable/mousetrap -# github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b => github.com/aslakknutsen/sail-operator v0.0.0-20260318134045-4159c7d6ebbd -## explicit; go 1.25.0 +# github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b => github.com/aslakknutsen/sail-operator v0.0.0-20260325174717-0460eb7b4609 +## explicit; go 1.24.0 github.com/istio-ecosystem/sail-operator/api/v1 github.com/istio-ecosystem/sail-operator/bundle github.com/istio-ecosystem/sail-operator/chart/crds @@ -1174,8 +1174,8 @@ helm.sh/helm/v3/pkg/storage/driver helm.sh/helm/v3/pkg/time helm.sh/helm/v3/pkg/time/ctime helm.sh/helm/v3/pkg/uploader -# istio.io/istio v0.0.0-20260309041103-f67b89f49d1a -## explicit; go 1.25.0 +# istio.io/istio v0.0.0-20260306174229-7da666217518 +## explicit; go 1.24.0 istio.io/istio/pkg/log istio.io/istio/pkg/ptr istio.io/istio/pkg/slices @@ -1781,7 +1781,7 @@ sigs.k8s.io/controller-runtime/pkg/webhook/admission/metrics sigs.k8s.io/controller-runtime/pkg/webhook/conversion sigs.k8s.io/controller-runtime/pkg/webhook/conversion/metrics sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics -# sigs.k8s.io/gateway-api v1.5.0 => sigs.k8s.io/gateway-api v1.4.1 +# sigs.k8s.io/gateway-api v1.4.1 ## explicit; go 1.24.0 sigs.k8s.io/gateway-api/apis/v1 # sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 @@ -1889,5 +1889,4 @@ sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v3 sigs.k8s.io/yaml/kyaml # github.com/imdario/mergo => github.com/imdario/mergo v0.3.5 -# github.com/istio-ecosystem/sail-operator => github.com/aslakknutsen/sail-operator v0.0.0-20260318134045-4159c7d6ebbd -# sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.4.1 +# github.com/istio-ecosystem/sail-operator => github.com/aslakknutsen/sail-operator v0.0.0-20260325174717-0460eb7b4609