From 0e8fc1460ea6e36ce781defe32652da361c3158e Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 10 Jul 2019 20:26:45 -0400 Subject: [PATCH 01/68] operator endpoint in istio --- Makefile | 4 - cortex.sh | 4 - dev/registry.sh | 4 - docs/cluster/config.md | 2 - docs/cluster/development.md | 2 - docs/cluster/security.md | 2 +- images/manager/Dockerfile | 5 + images/nginx-backend/Dockerfile | 1 - images/nginx-controller/Dockerfile | 1 - manager/info.sh | 4 +- manager/install_cortex.sh | 20 +- manager/manifests/istio-init/Chart.yaml | 13 + manager/manifests/istio-init/README.md | 77 + .../manifests/istio-init/files/crd-10.yaml | 573 ++++ .../manifests/istio-init/files/crd-11.yaml | 23 + .../manifests/istio-init/files/crd-12.yaml | 21 + .../istio-init/files/crd-certmanager-10.yaml | 82 + .../istio-init/files/crd-certmanager-11.yaml | 74 + .../istio-init/templates/clusterrole.yaml | 11 + .../templates/clusterrolebinding.yaml | 15 + .../templates/configmap-crd-10.yaml | 8 + .../templates/configmap-crd-11.yaml | 8 + .../templates/configmap-crd-12.yaml | 8 + .../configmap-crd-certmanager-10.yaml | 10 + .../configmap-crd-certmanager-11.yaml | 10 + .../istio-init/templates/job-crd-10.yaml | 26 + .../istio-init/templates/job-crd-11.yaml | 26 + .../istio-init/templates/job-crd-12.yaml | 26 + .../templates/job-crd-certmanager-10.yaml | 28 + .../templates/job-crd-certmanager-11.yaml | 28 + .../istio-init/templates/serviceaccount.yaml | 9 + manager/manifests/istio-init/values.yaml | 16 + manager/manifests/istio/Chart.yaml | 17 + .../istio/charts/certmanager/Chart.yaml | 6 + .../charts/certmanager/templates/NOTES.txt | 6 + .../charts/certmanager/templates/_helpers.tpl | 32 + .../certmanager/templates/deployment.yaml | 69 + .../charts/certmanager/templates/issuer.yaml | 37 + .../templates/poddisruptionbudget.yaml | 24 + .../charts/certmanager/templates/rbac.yaml | 37 + .../certmanager/templates/serviceaccount.yaml | 16 + .../istio/charts/certmanager/values.yaml | 33 + .../manifests/istio/charts/galley/Chart.yaml | 13 + .../charts/galley/templates/_helpers.tpl | 32 + .../charts/galley/templates/clusterrole.yaml | 39 + .../galley/templates/clusterrolebinding.yaml | 17 + .../charts/galley/templates/configmap.yaml | 14 + .../charts/galley/templates/deployment.yaml | 124 + .../galley/templates/poddisruptionbudget.yaml | 22 + .../charts/galley/templates/service.yaml | 21 + .../galley/templates/serviceaccount.yaml | 16 + .../validatingwebhookconfiguration.yaml.tpl | 120 + .../manifests/istio/charts/galley/values.yaml | 29 + .../istio/charts/gateways/Chart.yaml | 15 + .../charts/gateways/templates/_affinity.tpl | 93 + .../charts/gateways/templates/_helpers.tpl | 32 + .../charts/gateways/templates/autoscale.yaml | 31 + .../charts/gateways/templates/deployment.yaml | 318 ++ .../templates/poddisruptionbudget.yaml | 31 + .../gateways/templates/preconfigured.yaml | 239 ++ .../istio/charts/gateways/templates/role.yaml | 18 + .../gateways/templates/rolebindings.yaml | 21 + .../charts/gateways/templates/service.yaml | 59 + .../gateways/templates/serviceaccount.yaml | 24 + .../istio/charts/gateways/values.yaml | 281 ++ .../manifests/istio/charts/grafana/Chart.yaml | 6 + .../grafana/dashboards/galley-dashboard.json | 1819 ++++++++++++ .../dashboards/istio-mesh-dashboard.json | 953 ++++++ .../istio-performance-dashboard.json | 1822 ++++++++++++ .../dashboards/istio-service-dashboard.json | 2601 +++++++++++++++++ .../dashboards/istio-workload-dashboard.json | 2303 +++++++++++++++ .../grafana/dashboards/mixer-dashboard.json | 1808 ++++++++++++ .../grafana/dashboards/pilot-dashboard.json | 1788 +++++++++++ .../charts/grafana/templates/_helpers.tpl | 32 + .../templates/configmap-custom-resources.yaml | 16 + .../templates/configmap-dashboards.yaml | 18 + .../charts/grafana/templates/configmap.yaml | 25 + .../create-custom-resources-job.yaml | 101 + .../charts/grafana/templates/deployment.yaml | 127 + .../grafana/templates/grafana-ports-mtls.yaml | 17 + .../charts/grafana/templates/ingress.yaml | 40 + .../istio/charts/grafana/templates/pvc.yaml | 19 + .../charts/grafana/templates/service.yaml | 32 + .../tests/test-grafana-connection.yaml | 37 + .../istio/charts/grafana/values.yaml | 87 + .../istio/charts/istiocoredns/Chart.yaml | 6 + .../istiocoredns/templates/_helpers.tpl | 32 + .../istiocoredns/templates/clusterrole.yaml | 13 + .../templates/clusterrolebinding.yaml | 17 + .../istiocoredns/templates/configmap.yaml | 24 + .../istiocoredns/templates/deployment.yaml | 96 + .../istiocoredns/templates/service.yaml | 20 + .../templates/serviceaccount.yaml | 16 + .../istio/charts/istiocoredns/values.yaml | 33 + .../manifests/istio/charts/kiali/Chart.yaml | 6 + .../istio/charts/kiali/templates/_helpers.tpl | 32 + .../charts/kiali/templates/clusterrole.yaml | 265 ++ .../kiali/templates/clusterrolebinding.yaml | 17 + .../charts/kiali/templates/configmap.yaml | 27 + .../charts/kiali/templates/demosecret.yaml | 16 + .../charts/kiali/templates/deployment.yaml | 77 + .../istio/charts/kiali/templates/ingress.yaml | 40 + .../istio/charts/kiali/templates/service.yaml | 17 + .../kiali/templates/serviceaccount.yaml | 16 + .../tests/test-kiali-connection.yaml | 37 + .../manifests/istio/charts/kiali/values.yaml | 55 + .../manifests/istio/charts/mixer/Chart.yaml | 13 + .../istio/charts/mixer/templates/_helpers.tpl | 32 + .../charts/mixer/templates/autoscale.yaml | 29 + .../charts/mixer/templates/clusterrole.yaml | 24 + .../mixer/templates/clusterrolebinding.yaml | 19 + .../istio/charts/mixer/templates/config.yaml | 1086 +++++++ .../charts/mixer/templates/deployment.yaml | 428 +++ .../mixer/templates/poddisruptionbudget.yaml | 32 + .../istio/charts/mixer/templates/service.yaml | 39 + .../mixer/templates/serviceaccount.yaml | 18 + .../manifests/istio/charts/mixer/values.yaml | 88 + .../istio/charts/nodeagent/Chart.yaml | 13 + .../charts/nodeagent/templates/_helpers.tpl | 32 + .../nodeagent/templates/clusterrole.yaml | 13 + .../templates/clusterrolebinding.yaml | 17 + .../charts/nodeagent/templates/daemonset.yaml | 66 + .../nodeagent/templates/serviceaccount.yaml | 16 + .../istio/charts/nodeagent/values.yaml | 35 + .../manifests/istio/charts/pilot/Chart.yaml | 13 + .../istio/charts/pilot/templates/_helpers.tpl | 32 + .../charts/pilot/templates/autoscale.yaml | 25 + .../charts/pilot/templates/clusterrole.yaml | 34 + .../pilot/templates/clusterrolebinding.yaml | 17 + .../charts/pilot/templates/deployment.yaml | 225 ++ .../charts/pilot/templates/meshexpansion.yaml | 91 + .../pilot/templates/poddisruptionbudget.yaml | 22 + .../istio/charts/pilot/templates/service.yaml | 23 + .../pilot/templates/serviceaccount.yaml | 16 + .../manifests/istio/charts/pilot/values.yaml | 50 + .../istio/charts/prometheus/Chart.yaml | 6 + .../charts/prometheus/templates/_helpers.tpl | 32 + .../prometheus/templates/clusterrole.yaml | 24 + .../templates/clusterrolebindings.yaml | 17 + .../prometheus/templates/configmap.yaml | 281 ++ .../prometheus/templates/deployment.yaml | 80 + .../charts/prometheus/templates/ingress.yaml | 40 + .../charts/prometheus/templates/service.yaml | 45 + .../prometheus/templates/serviceaccount.yaml | 16 + .../tests/test-prometheus-connection.yaml | 36 + .../istio/charts/prometheus/values.yaml | 59 + .../istio/charts/security/Chart.yaml | 13 + .../charts/security/templates/_helpers.tpl | 32 + .../security/templates/cleanup-secrets.yaml | 125 + .../security/templates/clusterrole.yaml | 22 + .../templates/clusterrolebinding.yaml | 17 + .../charts/security/templates/configmap.yaml | 20 + .../create-custom-resources-job.yaml | 101 + .../charts/security/templates/deployment.yaml | 108 + .../security/templates/enable-mesh-mtls.yaml | 63 + .../templates/enable-mesh-permissive.yaml | 16 + .../security/templates/meshexpansion.yaml | 56 + .../charts/security/templates/service.yaml | 23 + .../security/templates/serviceaccount.yaml | 16 + .../tests/test-citadel-connection.yaml | 36 + .../istio/charts/security/values.yaml | 36 + .../charts/sidecarInjectorWebhook/Chart.yaml | 13 + .../templates/_helpers.tpl | 32 + .../templates/clusterrole.yaml | 17 + .../templates/clusterrolebinding.yaml | 18 + .../templates/deployment.yaml | 110 + .../templates/mutatingwebhook.yaml | 39 + .../templates/poddisruptionbudget.yaml | 18 + .../templates/service.yaml | 16 + .../templates/serviceaccount.yaml | 17 + .../charts/sidecarInjectorWebhook/values.yaml | 42 + .../manifests/istio/charts/tracing/Chart.yaml | 6 + .../charts/tracing/templates/_helpers.tpl | 32 + .../tracing/templates/deployment-jaeger.yaml | 92 + .../tracing/templates/deployment-zipkin.yaml | 82 + .../charts/tracing/templates/ingress.yaml | 41 + .../tracing/templates/service-jaeger.yaml | 90 + .../charts/tracing/templates/service.yaml | 56 + .../tests/test-tracing-connection.yaml | 40 + .../istio/charts/tracing/values.yaml | 77 + .../manifests/istio/example-values/README.md | 5 + .../values-istio-example-sds-vault.yaml | 27 + .../example-values/values-istio-gateways.yaml | 135 + .../example-values/values-istio-googleca.yaml | 22 + .../values-istio-multicluster-gateways.yaml | 27 + .../istio/files/injection-template.yaml | 348 +++ manager/manifests/istio/requirements.yaml | 40 + manager/manifests/istio/templates/NOTES.txt | 29 + .../manifests/istio/templates/_affinity.tpl | 93 + .../manifests/istio/templates/_helpers.tpl | 46 + .../istio/templates/_podDisruptionBudget.tpl | 3 + .../istio/templates/clusterrole.yaml | 11 + .../istio/templates/clusterrolebinding.yaml | 14 + .../manifests/istio/templates/configmap.yaml | 273 ++ .../manifests/istio/templates/endpoints.yaml | 63 + .../templates/install-custom-resources.sh.tpl | 32 + .../manifests/istio/templates/service.yaml | 60 + .../istio/templates/serviceaccount.yaml | 5 + .../templates/sidecar-injector-configmap.yaml | 25 + .../istio/values-istio-demo-auth.yaml | 82 + .../manifests/istio/values-istio-demo.yaml | 83 + .../manifests/istio/values-istio-minimal.yaml | 46 + .../manifests/istio/values-istio-remote.yaml | 34 + .../istio/values-istio-sds-auth.yaml | 20 + manager/manifests/istio/values.yaml | 492 ++++ manager/manifests/nginx.yaml | 418 --- manager/manifests/operator.yaml | 77 +- manager/uninstall_cortex.sh | 1 + pkg/lib/k8s/k8s.go | 20 +- pkg/lib/k8s/service.go | 12 + pkg/operator/workloads/api.go | 2 +- 211 files changed, 24315 insertions(+), 476 deletions(-) delete mode 100644 images/nginx-backend/Dockerfile delete mode 100644 images/nginx-controller/Dockerfile create mode 100644 manager/manifests/istio-init/Chart.yaml create mode 100644 manager/manifests/istio-init/README.md create mode 100644 manager/manifests/istio-init/files/crd-10.yaml create mode 100644 manager/manifests/istio-init/files/crd-11.yaml create mode 100644 manager/manifests/istio-init/files/crd-12.yaml create mode 100644 manager/manifests/istio-init/files/crd-certmanager-10.yaml create mode 100644 manager/manifests/istio-init/files/crd-certmanager-11.yaml create mode 100644 manager/manifests/istio-init/templates/clusterrole.yaml create mode 100644 manager/manifests/istio-init/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio-init/templates/configmap-crd-10.yaml create mode 100644 manager/manifests/istio-init/templates/configmap-crd-11.yaml create mode 100644 manager/manifests/istio-init/templates/configmap-crd-12.yaml create mode 100644 manager/manifests/istio-init/templates/configmap-crd-certmanager-10.yaml create mode 100644 manager/manifests/istio-init/templates/configmap-crd-certmanager-11.yaml create mode 100644 manager/manifests/istio-init/templates/job-crd-10.yaml create mode 100644 manager/manifests/istio-init/templates/job-crd-11.yaml create mode 100644 manager/manifests/istio-init/templates/job-crd-12.yaml create mode 100644 manager/manifests/istio-init/templates/job-crd-certmanager-10.yaml create mode 100644 manager/manifests/istio-init/templates/job-crd-certmanager-11.yaml create mode 100644 manager/manifests/istio-init/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio-init/values.yaml create mode 100644 manager/manifests/istio/Chart.yaml create mode 100644 manager/manifests/istio/charts/certmanager/Chart.yaml create mode 100644 manager/manifests/istio/charts/certmanager/templates/NOTES.txt create mode 100644 manager/manifests/istio/charts/certmanager/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/certmanager/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/certmanager/templates/issuer.yaml create mode 100644 manager/manifests/istio/charts/certmanager/templates/poddisruptionbudget.yaml create mode 100644 manager/manifests/istio/charts/certmanager/templates/rbac.yaml create mode 100644 manager/manifests/istio/charts/certmanager/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/certmanager/values.yaml create mode 100644 manager/manifests/istio/charts/galley/Chart.yaml create mode 100644 manager/manifests/istio/charts/galley/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/galley/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/galley/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/charts/galley/templates/configmap.yaml create mode 100644 manager/manifests/istio/charts/galley/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/galley/templates/poddisruptionbudget.yaml create mode 100644 manager/manifests/istio/charts/galley/templates/service.yaml create mode 100644 manager/manifests/istio/charts/galley/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl create mode 100644 manager/manifests/istio/charts/galley/values.yaml create mode 100644 manager/manifests/istio/charts/gateways/Chart.yaml create mode 100644 manager/manifests/istio/charts/gateways/templates/_affinity.tpl create mode 100644 manager/manifests/istio/charts/gateways/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/gateways/templates/autoscale.yaml create mode 100644 manager/manifests/istio/charts/gateways/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/gateways/templates/poddisruptionbudget.yaml create mode 100644 manager/manifests/istio/charts/gateways/templates/preconfigured.yaml create mode 100644 manager/manifests/istio/charts/gateways/templates/role.yaml create mode 100644 manager/manifests/istio/charts/gateways/templates/rolebindings.yaml create mode 100644 manager/manifests/istio/charts/gateways/templates/service.yaml create mode 100644 manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/gateways/values.yaml create mode 100644 manager/manifests/istio/charts/grafana/Chart.yaml create mode 100644 manager/manifests/istio/charts/grafana/dashboards/galley-dashboard.json create mode 100644 manager/manifests/istio/charts/grafana/dashboards/istio-mesh-dashboard.json create mode 100644 manager/manifests/istio/charts/grafana/dashboards/istio-performance-dashboard.json create mode 100644 manager/manifests/istio/charts/grafana/dashboards/istio-service-dashboard.json create mode 100644 manager/manifests/istio/charts/grafana/dashboards/istio-workload-dashboard.json create mode 100644 manager/manifests/istio/charts/grafana/dashboards/mixer-dashboard.json create mode 100644 manager/manifests/istio/charts/grafana/dashboards/pilot-dashboard.json create mode 100644 manager/manifests/istio/charts/grafana/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/grafana/templates/configmap-custom-resources.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/configmap-dashboards.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/configmap.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/create-custom-resources-job.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/grafana-ports-mtls.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/ingress.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/pvc.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/service.yaml create mode 100644 manager/manifests/istio/charts/grafana/templates/tests/test-grafana-connection.yaml create mode 100644 manager/manifests/istio/charts/grafana/values.yaml create mode 100644 manager/manifests/istio/charts/istiocoredns/Chart.yaml create mode 100644 manager/manifests/istio/charts/istiocoredns/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/istiocoredns/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/istiocoredns/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/charts/istiocoredns/templates/configmap.yaml create mode 100644 manager/manifests/istio/charts/istiocoredns/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/istiocoredns/templates/service.yaml create mode 100644 manager/manifests/istio/charts/istiocoredns/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/istiocoredns/values.yaml create mode 100644 manager/manifests/istio/charts/kiali/Chart.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/kiali/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/configmap.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/demosecret.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/ingress.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/service.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/kiali/templates/tests/test-kiali-connection.yaml create mode 100644 manager/manifests/istio/charts/kiali/values.yaml create mode 100644 manager/manifests/istio/charts/mixer/Chart.yaml create mode 100644 manager/manifests/istio/charts/mixer/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/mixer/templates/autoscale.yaml create mode 100644 manager/manifests/istio/charts/mixer/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/mixer/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/charts/mixer/templates/config.yaml create mode 100644 manager/manifests/istio/charts/mixer/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/mixer/templates/poddisruptionbudget.yaml create mode 100644 manager/manifests/istio/charts/mixer/templates/service.yaml create mode 100644 manager/manifests/istio/charts/mixer/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/mixer/values.yaml create mode 100644 manager/manifests/istio/charts/nodeagent/Chart.yaml create mode 100644 manager/manifests/istio/charts/nodeagent/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml create mode 100644 manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/nodeagent/values.yaml create mode 100644 manager/manifests/istio/charts/pilot/Chart.yaml create mode 100644 manager/manifests/istio/charts/pilot/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/pilot/templates/autoscale.yaml create mode 100644 manager/manifests/istio/charts/pilot/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/pilot/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/charts/pilot/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml create mode 100644 manager/manifests/istio/charts/pilot/templates/poddisruptionbudget.yaml create mode 100644 manager/manifests/istio/charts/pilot/templates/service.yaml create mode 100644 manager/manifests/istio/charts/pilot/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/pilot/values.yaml create mode 100644 manager/manifests/istio/charts/prometheus/Chart.yaml create mode 100644 manager/manifests/istio/charts/prometheus/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/prometheus/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/prometheus/templates/clusterrolebindings.yaml create mode 100644 manager/manifests/istio/charts/prometheus/templates/configmap.yaml create mode 100644 manager/manifests/istio/charts/prometheus/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/prometheus/templates/ingress.yaml create mode 100644 manager/manifests/istio/charts/prometheus/templates/service.yaml create mode 100644 manager/manifests/istio/charts/prometheus/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml create mode 100644 manager/manifests/istio/charts/prometheus/values.yaml create mode 100644 manager/manifests/istio/charts/security/Chart.yaml create mode 100644 manager/manifests/istio/charts/security/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/security/templates/cleanup-secrets.yaml create mode 100644 manager/manifests/istio/charts/security/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/security/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/charts/security/templates/configmap.yaml create mode 100644 manager/manifests/istio/charts/security/templates/create-custom-resources-job.yaml create mode 100644 manager/manifests/istio/charts/security/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/security/templates/enable-mesh-mtls.yaml create mode 100644 manager/manifests/istio/charts/security/templates/enable-mesh-permissive.yaml create mode 100644 manager/manifests/istio/charts/security/templates/meshexpansion.yaml create mode 100644 manager/manifests/istio/charts/security/templates/service.yaml create mode 100644 manager/manifests/istio/charts/security/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/security/templates/tests/test-citadel-connection.yaml create mode 100644 manager/manifests/istio/charts/security/values.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/Chart.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/service.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml create mode 100644 manager/manifests/istio/charts/tracing/Chart.yaml create mode 100644 manager/manifests/istio/charts/tracing/templates/_helpers.tpl create mode 100644 manager/manifests/istio/charts/tracing/templates/deployment-jaeger.yaml create mode 100644 manager/manifests/istio/charts/tracing/templates/deployment-zipkin.yaml create mode 100644 manager/manifests/istio/charts/tracing/templates/ingress.yaml create mode 100644 manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml create mode 100644 manager/manifests/istio/charts/tracing/templates/service.yaml create mode 100644 manager/manifests/istio/charts/tracing/templates/tests/test-tracing-connection.yaml create mode 100644 manager/manifests/istio/charts/tracing/values.yaml create mode 100644 manager/manifests/istio/example-values/README.md create mode 100644 manager/manifests/istio/example-values/values-istio-example-sds-vault.yaml create mode 100644 manager/manifests/istio/example-values/values-istio-gateways.yaml create mode 100644 manager/manifests/istio/example-values/values-istio-googleca.yaml create mode 100644 manager/manifests/istio/example-values/values-istio-multicluster-gateways.yaml create mode 100644 manager/manifests/istio/files/injection-template.yaml create mode 100644 manager/manifests/istio/requirements.yaml create mode 100644 manager/manifests/istio/templates/NOTES.txt create mode 100644 manager/manifests/istio/templates/_affinity.tpl create mode 100644 manager/manifests/istio/templates/_helpers.tpl create mode 100644 manager/manifests/istio/templates/_podDisruptionBudget.tpl create mode 100644 manager/manifests/istio/templates/clusterrole.yaml create mode 100644 manager/manifests/istio/templates/clusterrolebinding.yaml create mode 100644 manager/manifests/istio/templates/configmap.yaml create mode 100644 manager/manifests/istio/templates/endpoints.yaml create mode 100644 manager/manifests/istio/templates/install-custom-resources.sh.tpl create mode 100644 manager/manifests/istio/templates/service.yaml create mode 100644 manager/manifests/istio/templates/serviceaccount.yaml create mode 100644 manager/manifests/istio/templates/sidecar-injector-configmap.yaml create mode 100644 manager/manifests/istio/values-istio-demo-auth.yaml create mode 100644 manager/manifests/istio/values-istio-demo.yaml create mode 100644 manager/manifests/istio/values-istio-minimal.yaml create mode 100644 manager/manifests/istio/values-istio-remote.yaml create mode 100644 manager/manifests/istio/values-istio-sds-auth.yaml create mode 100644 manager/manifests/istio/values.yaml delete mode 100644 manager/manifests/nginx.yaml diff --git a/Makefile b/Makefile index 057edcb928..bcd3c5ade0 100644 --- a/Makefile +++ b/Makefile @@ -135,8 +135,6 @@ ci-build-images: @./build/build-image.sh images/onnx-serve onnx-serve @./build/build-image.sh images/operator operator @./build/build-image.sh images/fluentd fluentd - @./build/build-image.sh images/nginx-controller nginx-controller - @./build/build-image.sh images/nginx-backend nginx-backend @./build/build-image.sh images/argo-controller argo-controller @./build/build-image.sh images/argo-executor argo-executor @./build/build-image.sh images/python-packager python-packager @@ -156,8 +154,6 @@ ci-push-images: @./build/push-image.sh onnx-serve @./build/push-image.sh operator @./build/push-image.sh fluentd - @./build/push-image.sh nginx-controller - @./build/push-image.sh nginx-backend @./build/push-image.sh argo-controller @./build/push-image.sh argo-executor @./build/push-image.sh python-packager diff --git a/cortex.sh b/cortex.sh index d682bb1102..43209a707f 100755 --- a/cortex.sh +++ b/cortex.sh @@ -120,8 +120,6 @@ export CORTEX_IMAGE_MANAGER="${CORTEX_IMAGE_MANAGER:-cortexlabs/manager:$CORTEX_ export CORTEX_IMAGE_ARGO_CONTROLLER="${CORTEX_IMAGE_ARGO_CONTROLLER:-cortexlabs/argo-controller:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_ARGO_EXECUTOR="${CORTEX_IMAGE_ARGO_EXECUTOR:-cortexlabs/argo-executor:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_FLUENTD="${CORTEX_IMAGE_FLUENTD:-cortexlabs/fluentd:$CORTEX_VERSION_STABLE}" -export CORTEX_IMAGE_NGINX_BACKEND="${CORTEX_IMAGE_NGINX_BACKEND:-cortexlabs/nginx-backend:$CORTEX_VERSION_STABLE}" -export CORTEX_IMAGE_NGINX_CONTROLLER="${CORTEX_IMAGE_NGINX_CONTROLLER:-cortexlabs/nginx-controller:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_OPERATOR="${CORTEX_IMAGE_OPERATOR:-cortexlabs/operator:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_SPARK="${CORTEX_IMAGE_SPARK:-cortexlabs/spark:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_SPARK_OPERATOR="${CORTEX_IMAGE_SPARK_OPERATOR:-cortexlabs/spark-operator:$CORTEX_VERSION_STABLE}" @@ -179,8 +177,6 @@ function install_cortex() { -e CORTEX_IMAGE_ARGO_CONTROLLER=$CORTEX_IMAGE_ARGO_CONTROLLER \ -e CORTEX_IMAGE_ARGO_EXECUTOR=$CORTEX_IMAGE_ARGO_EXECUTOR \ -e CORTEX_IMAGE_FLUENTD=$CORTEX_IMAGE_FLUENTD \ - -e CORTEX_IMAGE_NGINX_BACKEND=$CORTEX_IMAGE_NGINX_BACKEND \ - -e CORTEX_IMAGE_NGINX_CONTROLLER=$CORTEX_IMAGE_NGINX_CONTROLLER \ -e CORTEX_IMAGE_OPERATOR=$CORTEX_IMAGE_OPERATOR \ -e CORTEX_IMAGE_SPARK=$CORTEX_IMAGE_SPARK \ -e CORTEX_IMAGE_SPARK_OPERATOR=$CORTEX_IMAGE_SPARK_OPERATOR \ diff --git a/dev/registry.sh b/dev/registry.sh index b501e5844b..547355669a 100755 --- a/dev/registry.sh +++ b/dev/registry.sh @@ -39,8 +39,6 @@ function create_registry() { aws ecr create-repository --repository-name=cortexlabs/argo-controller --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/argo-executor --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/fluentd --region=$REGISTRY_REGION || true - aws ecr create-repository --repository-name=cortexlabs/nginx-backend --region=$REGISTRY_REGION || true - aws ecr create-repository --repository-name=cortexlabs/nginx-controller --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/operator --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/spark --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/spark-operator --region=$REGISTRY_REGION || true @@ -134,8 +132,6 @@ elif [ "$cmd" = "update" ]; then build_and_push $ROOT/images/spark spark latest build_and_push $ROOT/images/tf-train tf-train latest build_and_push $ROOT/images/tf-train-gpu tf-train-gpu latest - build_and_push $ROOT/images/nginx-controller nginx-controller latest - build_and_push $ROOT/images/nginx-backend nginx-backend latest build_and_push $ROOT/images/fluentd fluentd latest build_and_push $ROOT/images/argo-controller argo-controller latest build_and_push $ROOT/images/argo-executor argo-executor latest diff --git a/docs/cluster/config.md b/docs/cluster/config.md index 6dc5ac1358..ab220fcfbf 100644 --- a/docs/cluster/config.md +++ b/docs/cluster/config.md @@ -43,8 +43,6 @@ export CORTEX_IMAGE_MANAGER="cortexlabs/manager:master" export CORTEX_IMAGE_ARGO_CONTROLLER="cortexlabs/argo-controller:master" export CORTEX_IMAGE_ARGO_EXECUTOR="cortexlabs/argo-executor:master" export CORTEX_IMAGE_FLUENTD="cortexlabs/fluentd:master" -export CORTEX_IMAGE_NGINX_BACKEND="cortexlabs/nginx-backend:master" -export CORTEX_IMAGE_NGINX_CONTROLLER="cortexlabs/nginx-controller:master" export CORTEX_IMAGE_OPERATOR="cortexlabs/operator:master" export CORTEX_IMAGE_SPARK="cortexlabs/spark:master" export CORTEX_IMAGE_SPARK_OPERATOR="cortexlabs/spark-operator:master" diff --git a/docs/cluster/development.md b/docs/cluster/development.md index e00f8105f1..a2e27e6219 100644 --- a/docs/cluster/development.md +++ b/docs/cluster/development.md @@ -59,8 +59,6 @@ export CORTEX_IMAGE_MANAGER="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs export CORTEX_IMAGE_ARGO_CONTROLLER="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/argo-controller:latest" export CORTEX_IMAGE_ARGO_EXECUTOR="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/argo-executor:latest" export CORTEX_IMAGE_FLUENTD="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/fluentd:latest" -export CORTEX_IMAGE_NGINX_BACKEND="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/nginx-backend:latest" -export CORTEX_IMAGE_NGINX_CONTROLLER="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/nginx-controller:latest" export CORTEX_IMAGE_ONNX_SERVE="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/onnx-serve:latest" export CORTEX_IMAGE_OPERATOR="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/operator:latest" export CORTEX_IMAGE_SPARK="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/spark:latest" diff --git a/docs/cluster/security.md b/docs/cluster/security.md index fe9d47be90..64b7b3d43f 100644 --- a/docs/cluster/security.md +++ b/docs/cluster/security.md @@ -20,4 +20,4 @@ In order to connect to the operator via the CLI, you must provide valid AWS cred ## API access -By default, your Cortex APIs will be accessible to all traffic. You can restrict access using AWS security groups. Specifically, you will need to edit the security group with the description: "Security group for Kubernetes ELB (cortex/nginx-controller-apis)". +By default, your Cortex APIs will be accessible to all traffic. You can restrict access using AWS security groups. Specifically, you will need to edit the security group with the description: "Security group for Kubernetes ELB (cortex/istio-ingressgateway)". diff --git a/images/manager/Dockerfile b/images/manager/Dockerfile index 9eed3cc4a4..c832a2dac2 100644 --- a/images/manager/Dockerfile +++ b/images/manager/Dockerfile @@ -20,6 +20,11 @@ RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.15.0/b chmod +x ./kubectl && \ mv ./kubectl /usr/local/bin/kubectl +RUN curl -LO https://get.helm.sh/helm-v2.14.1-linux-amd64.tar.gz && \ + tar -zxvf helm-v2.14.1-linux-amd64.tar.gz && \ + chmod +x linux-amd64/helm && \ + mv linux-amd64/helm /usr/local/bin/helm + COPY manager /root ENTRYPOINT ["/bin/bash"] diff --git a/images/nginx-backend/Dockerfile b/images/nginx-backend/Dockerfile deleted file mode 100644 index 143a0decfb..0000000000 --- a/images/nginx-backend/Dockerfile +++ /dev/null @@ -1 +0,0 @@ -FROM gcr.io/google_containers/defaultbackend:1.4 diff --git a/images/nginx-controller/Dockerfile b/images/nginx-controller/Dockerfile deleted file mode 100644 index 5e822a9b90..0000000000 --- a/images/nginx-controller/Dockerfile +++ /dev/null @@ -1 +0,0 @@ -FROM quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.19.0 diff --git a/manager/info.sh b/manager/info.sh index d34e683c65..b3374b0acb 100755 --- a/manager/info.sh +++ b/manager/info.sh @@ -18,12 +18,12 @@ set -e function get_operator_endpoint() { set -eo pipefail - kubectl -n=$CORTEX_NAMESPACE get service nginx-controller-operator -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/' + kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/' } function get_apis_endpoint() { set -eo pipefail - kubectl -n=$CORTEX_NAMESPACE get service nginx-controller-apis -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/' + kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/' } eksctl utils write-kubeconfig --name=$CORTEX_CLUSTER --region=$CORTEX_REGION | grep -v "saved kubeconfig as" || true diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 4397d898d9..f10c96edec 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -107,34 +107,36 @@ function validate_cortex() { fi if [ "$operator_load_balancer" != "ready" ]; then - out=$(kubectl -n=$CORTEX_NAMESPACE get service nginx-controller-operator -o json | tr -d '[:space:]') + out=$(kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]') if [[ $out != *'"loadBalancer":{"ingress":[{"'* ]]; then + echo "operator loadbalancer not ready" continue fi operator_load_balancer="ready" fi if [ "$api_load_balancer" != "ready" ]; then - out=$(kubectl -n=$CORTEX_NAMESPACE get service nginx-controller-apis -o json | tr -d '[:space:]') + out=$(kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]') if [[ $out != *'"loadBalancer":{"ingress":[{"'* ]]; then + echo "api loadbalancer not ready" continue fi api_load_balancer="ready" fi if [ "$operator_endpoint" = "" ]; then - operator_endpoint=$(kubectl -n=$CORTEX_NAMESPACE get service nginx-controller-operator -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/') + operator_endpoint=$(kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/') fi if [ "$operator_endpoint_reachable" != "ready" ]; then - if ! curl $operator_endpoint >/dev/null 2>&1; then + if ! curl $operator_endpoint/operattor >/dev/null 2>&1; then continue fi operator_endpoint_reachable="ready" fi if [ "$operator_pod_ready_cycles" == "0" ] && [ "$operator_pod_name" != "" ]; then - num_restart=$(kubectl -n=$CORTEX_NAMESPACE get "$operator_pod_name" -o jsonpath='{.status.containerStatuses[0].restartCount}') + num_restart=$(kubectl -n=istio-gateway get "$operator_pod_name" -o jsonpath='{.status.containerStatuses[0].restartCount}') if [[ $num_restart -ge 2 ]]; then echo -e "\n\nAn error occurred when starting the Cortex operator. View the logs with:" echo " kubectl logs $operator_pod_name --namespace=$CORTEX_NAMESPACE" @@ -171,8 +173,14 @@ setup_secrets envsubst < manifests/spark.yaml | kubectl apply -f - >/dev/null envsubst < manifests/argo.yaml | kubectl apply -f - >/dev/null -envsubst < manifests/nginx.yaml | kubectl apply -f - >/dev/null envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null + +kubectl create namespace istio-system +helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - +sleep 20 +helm template manifests/istio --name istio --namespace istio-system | kubectl apply -f - +kubectl label namespace cortex istio-injection=enabled + envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/cluster-autoscaler.yaml | kubectl apply -f - >/dev/null envsubst < manifests/metrics-server.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/istio-init/Chart.yaml b/manager/manifests/istio-init/Chart.yaml new file mode 100644 index 0000000000..2b2b3567da --- /dev/null +++ b/manager/manifests/istio-init/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-init +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2-0" +description: Helm chart to initialize Istio CRDs +keywords: + - istio + - crd +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio-init/README.md b/manager/manifests/istio-init/README.md new file mode 100644 index 0000000000..9a1330bf05 --- /dev/null +++ b/manager/manifests/istio-init/README.md @@ -0,0 +1,77 @@ +# Istio + +[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. + +## Introduction + +This chart bootstraps Istio's [CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) +which are an internal implementation detail of Istio. CRDs define data structures for storing runtime configuration +specified by a human operator. + +This chart must be run to completion prior to running other Istio charts, or other Istio charts will fail to initialize. + +## Prerequisites + +- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required +- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required + +## Resources Required + +The chart deploys pods that consume minimal resources. + +## Installing the Chart + +1. If a service account has not already been installed for Tiller, install one: + ``` + $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml + ``` + +1. If Tiller has not already been installed in your cluster, Install Tiller on your cluster with the service account: + ``` + $ helm init --service-account tiller + ``` + +1. Install the Istio initializer chart: + ``` + $ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system + ``` + + > Although you can install the `istio-init` chart to any namespace, it is recommended to install `istio-init` in the same namespace(`istio-system`) as other Istio charts. + +## Configuration + +The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. +To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. + +Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: + +| Parameter | Description | Values | Default | +| --- | --- | --- | --- | +| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` | +| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | +| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | + + +## Uninstalling the Chart + +> Uninstalling this chart does not delete Istio's registered CRDs. Istio by design expects +> CRDs to leak into the Kubernetes environment. As CRDs contain all runtime configuration +> data in CustomResources the Istio designers feel it is better to explicitly delete this +> configuration rather then unexpectedly lose it. + +To uninstall/delete the `istio-init` release but continue to track the release: + ``` + $ helm delete istio-init + ``` + +To uninstall/delete the `istio-init` release completely and make its name free for later use: + ``` + $ helm delete istio-init --purge + ``` + +> Warning: Deleting CRDs will delete any configuration that you have made to Istio. + +To delete all CRDs, run the following command + ``` + $ for i in istio-init/files/*crd*yaml; do kubectl delete -f $i; done + ``` diff --git a/manager/manifests/istio-init/files/crd-10.yaml b/manager/manifests/istio-init/files/crd-10.yaml new file mode 100644 index 0000000000..05162d6a95 --- /dev/null +++ b/manager/manifests/istio-init/files/crd-10.yaml @@ -0,0 +1,573 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + shortNames: + - vs + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + shortNames: + - dr + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + shortNames: + - se + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + shortNames: + - gw + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: clusterrbacconfigs.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: policies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- diff --git a/manager/manifests/istio-init/files/crd-11.yaml b/manager/manifests/istio-init/files/crd-11.yaml new file mode 100644 index 0000000000..f3711ec077 --- /dev/null +++ b/manager/manifests/istio-init/files/crd-11.yaml @@ -0,0 +1,23 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- diff --git a/manager/manifests/istio-init/files/crd-12.yaml b/manager/manifests/istio-init/files/crd-12.yaml new file mode 100644 index 0000000000..36e0c8a26a --- /dev/null +++ b/manager/manifests/istio-init/files/crd-12.yaml @@ -0,0 +1,21 @@ +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizationpolicies.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio +spec: + group: rbac.istio.io + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- diff --git a/manager/manifests/istio-init/files/crd-certmanager-10.yaml b/manager/manifests/istio-init/files/crd-certmanager-10.yaml new file mode 100644 index 0000000000..85a2093bfc --- /dev/null +++ b/manager/manifests/istio-init/files/crd-certmanager-10.yaml @@ -0,0 +1,82 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs +--- diff --git a/manager/manifests/istio-init/files/crd-certmanager-11.yaml b/manager/manifests/istio-init/files/crd-certmanager-11.yaml new file mode 100644 index 0000000000..9ae788f746 --- /dev/null +++ b/manager/manifests/istio-init/files/crd-certmanager-11.yaml @@ -0,0 +1,74 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.reason + name: Reason + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Order + plural: orders + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: challenges.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Challenge + plural: challenges + scope: Namespaced +--- diff --git a/manager/manifests/istio-init/templates/clusterrole.yaml b/manager/manifests/istio-init/templates/clusterrole.yaml new file mode 100644 index 0000000000..0b7c50fbc0 --- /dev/null +++ b/manager/manifests/istio-init/templates/clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-init-{{ .Release.Namespace }} + labels: + app: istio-init + istio: init +rules: +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "list", "watch", "patch"] diff --git a/manager/manifests/istio-init/templates/clusterrolebinding.yaml b/manager/manifests/istio-init/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..481674c0e5 --- /dev/null +++ b/manager/manifests/istio-init/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-init-admin-role-binding-{{ .Release.Namespace }} + labels: + app: istio-init + istio: init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-init-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-init-service-account + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio-init/templates/configmap-crd-10.yaml b/manager/manifests/istio-init/templates/configmap-crd-10.yaml new file mode 100644 index 0000000000..69e37fa14c --- /dev/null +++ b/manager/manifests/istio-init/templates/configmap-crd-10.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-10 +data: + crd-10.yaml: |- +{{.Files.Get "files/crd-10.yaml" | printf "%s" | indent 4}} diff --git a/manager/manifests/istio-init/templates/configmap-crd-11.yaml b/manager/manifests/istio-init/templates/configmap-crd-11.yaml new file mode 100644 index 0000000000..952640d60b --- /dev/null +++ b/manager/manifests/istio-init/templates/configmap-crd-11.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-11 +data: + crd-11.yaml: |- +{{.Files.Get "files/crd-11.yaml" | printf "%s" | indent 4}} diff --git a/manager/manifests/istio-init/templates/configmap-crd-12.yaml b/manager/manifests/istio-init/templates/configmap-crd-12.yaml new file mode 100644 index 0000000000..a497365344 --- /dev/null +++ b/manager/manifests/istio-init/templates/configmap-crd-12.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-12 +data: + crd-12.yaml: |- +{{.Files.Get "files/crd-12.yaml" | printf "%s" | indent 4}} diff --git a/manager/manifests/istio-init/templates/configmap-crd-certmanager-10.yaml b/manager/manifests/istio-init/templates/configmap-crd-certmanager-10.yaml new file mode 100644 index 0000000000..8ab3e83568 --- /dev/null +++ b/manager/manifests/istio-init/templates/configmap-crd-certmanager-10.yaml @@ -0,0 +1,10 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-certmanager-10 +data: + crd-certmanager-10.yaml: |- +{{.Files.Get "files/crd-certmanager-10.yaml" | printf "%s" | indent 4}} +{{- end }} diff --git a/manager/manifests/istio-init/templates/configmap-crd-certmanager-11.yaml b/manager/manifests/istio-init/templates/configmap-crd-certmanager-11.yaml new file mode 100644 index 0000000000..beef3043d0 --- /dev/null +++ b/manager/manifests/istio-init/templates/configmap-crd-certmanager-11.yaml @@ -0,0 +1,10 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: istio-crd-certmanager-11 +data: + crd-certmanager-11.yaml: |- +{{.Files.Get "files/crd-certmanager-11.yaml" | printf "%s" | indent 4}} +{{- end }} diff --git a/manager/manifests/istio-init/templates/job-crd-10.yaml b/manager/manifests/istio-init/templates/job-crd-10.yaml new file mode 100644 index 0000000000..87d6469157 --- /dev/null +++ b/manager/manifests/istio-init/templates/job-crd-10.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-10 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-10 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-10 + mountPath: /etc/istio/crd-10 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-10/crd-10.yaml"] + volumes: + - name: crd-10 + configMap: + name: istio-crd-10 + restartPolicy: OnFailure diff --git a/manager/manifests/istio-init/templates/job-crd-11.yaml b/manager/manifests/istio-init/templates/job-crd-11.yaml new file mode 100644 index 0000000000..0f3a4b895d --- /dev/null +++ b/manager/manifests/istio-init/templates/job-crd-11.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-11 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-11 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-11 + mountPath: /etc/istio/crd-11 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-11/crd-11.yaml"] + volumes: + - name: crd-11 + configMap: + name: istio-crd-11 + restartPolicy: OnFailure diff --git a/manager/manifests/istio-init/templates/job-crd-12.yaml b/manager/manifests/istio-init/templates/job-crd-12.yaml new file mode 100644 index 0000000000..a8d483cf3e --- /dev/null +++ b/manager/manifests/istio-init/templates/job-crd-12.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-12 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-12 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-12 + mountPath: /etc/istio/crd-12 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-12/crd-12.yaml"] + volumes: + - name: crd-12 + configMap: + name: istio-crd-12 + restartPolicy: OnFailure diff --git a/manager/manifests/istio-init/templates/job-crd-certmanager-10.yaml b/manager/manifests/istio-init/templates/job-crd-certmanager-10.yaml new file mode 100644 index 0000000000..028df6e6c9 --- /dev/null +++ b/manager/manifests/istio-init/templates/job-crd-certmanager-10.yaml @@ -0,0 +1,28 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-certmanager-10 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-certmanager-10 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-certmanager-10 + mountPath: /etc/istio/crd-certmanager-10 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-10/crd-certmanager-10.yaml"] + volumes: + - name: crd-certmanager-10 + configMap: + name: istio-crd-certmanager-10 + restartPolicy: OnFailure +{{- end }} diff --git a/manager/manifests/istio-init/templates/job-crd-certmanager-11.yaml b/manager/manifests/istio-init/templates/job-crd-certmanager-11.yaml new file mode 100644 index 0000000000..1b6cb4e354 --- /dev/null +++ b/manager/manifests/istio-init/templates/job-crd-certmanager-11.yaml @@ -0,0 +1,28 @@ +{{- if .Values.certmanager.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: istio-init-crd-certmanager-11 +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-init-service-account + containers: + - name: istio-init-crd-certmanager-11 + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - name: crd-certmanager-11 + mountPath: /etc/istio/crd-certmanager-11 + readOnly: true + command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-11/crd-certmanager-11.yaml"] + volumes: + - name: crd-certmanager-11 + configMap: + name: istio-crd-certmanager-11 + restartPolicy: OnFailure +{{- end }} diff --git a/manager/manifests/istio-init/templates/serviceaccount.yaml b/manager/manifests/istio-init/templates/serviceaccount.yaml new file mode 100644 index 0000000000..dce901750e --- /dev/null +++ b/manager/manifests/istio-init/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-init-service-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-init + istio: init + diff --git a/manager/manifests/istio-init/values.yaml b/manager/manifests/istio-init/values.yaml new file mode 100644 index 0000000000..c28caa7b9e --- /dev/null +++ b/manager/manifests/istio-init/values.yaml @@ -0,0 +1,16 @@ +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.2.2 + + # imagePullPolicy is applied to istio control plane components. + # local tests require IfNotPresent, to avoid uploading to dockerhub. + # TODO: Switch to Always as default, and override in the local tests. + imagePullPolicy: IfNotPresent + +certmanager: + enabled: false diff --git a/manager/manifests/istio/Chart.yaml b/manager/manifests/istio/Chart.yaml new file mode 100644 index 0000000000..7b6f78b890 --- /dev/null +++ b/manager/manifests/istio/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +name: istio +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2-0" +description: Helm chart for all istio components +keywords: + - istio + - security + - sidecarInjectorWebhook + - mixer + - pilot + - galley +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/certmanager/Chart.yaml b/manager/manifests/istio/charts/certmanager/Chart.yaml new file mode 100644 index 0000000000..087e8e0146 --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: certmanager +version: 1.2.2 +appVersion: 0.6.2 +tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/certmanager/templates/NOTES.txt b/manager/manifests/istio/charts/certmanager/templates/NOTES.txt new file mode 100644 index 0000000000..0307ede4ca --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/templates/NOTES.txt @@ -0,0 +1,6 @@ +certmanager has been deployed successfully! + +More information on the different types of issuers and how to configure them +can be found in our documentation: + +https://cert-manager.readthedocs.io/en/latest/reference/issuers.html \ No newline at end of file diff --git a/manager/manifests/istio/charts/certmanager/templates/_helpers.tpl b/manager/manifests/istio/charts/certmanager/templates/_helpers.tpl new file mode 100644 index 0000000000..331a91d433 --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "certmanager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "certmanager.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "certmanager.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/certmanager/templates/deployment.yaml b/manager/manifests/istio/charts/certmanager/templates/deployment.yaml new file mode 100644 index 0000000000..fc9eacc5d0 --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/templates/deployment.yaml @@ -0,0 +1,69 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: certmanager + namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: certmanager + template: + metadata: + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} + {{- end }} + annotations: + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: certmanager +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: certmanager + image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=$(POD_NAMESPACE) + {{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 8 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: +{{ toYaml .Values.resources | indent 10 }} + {{- if .Values.podDnsPolicy }} + dnsPolicy: {{ .Values.podDnsPolicy }} + {{- end }} + {{- if .Values.podDnsConfig }} + dnsConfig: + {{ toYaml .Values.podDnsConfig | indent 8 }} + {{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/certmanager/templates/issuer.yaml b/manager/manifests/istio/charts/certmanager/templates/issuer.yaml new file mode 100644 index 0000000000..59402daea2 --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/templates/issuer.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ .Values.email }} + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + http01: {} +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt + namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: {{ .Values.email }} + privateKeySecretRef: + name: letsencrypt + http01: {} diff --git a/manager/manifests/istio/charts/certmanager/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/certmanager/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..b251e3653f --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/templates/poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: certmanager + namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + version: {{ .Chart.Version }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 4 }} + {{- end }} +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: certmanager + release: {{ .Release.Name }} +{{- end }} diff --git a/manager/manifests/istio/charts/certmanager/templates/rbac.yaml b/manager/manifests/istio/charts/certmanager/templates/rbac.yaml new file mode 100644 index 0000000000..b3a4ef3401 --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/templates/rbac.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: certmanager + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"] + verbs: ["*"] + - apiGroups: [""] + resources: ["configmaps", "secrets", "events", "services", "pods"] + verbs: ["*"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: certmanager + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: certmanager +subjects: + - name: certmanager + namespace: {{ .Release.Namespace }} + kind: ServiceAccount diff --git a/manager/manifests/istio/charts/certmanager/templates/serviceaccount.yaml b/manager/manifests/istio/charts/certmanager/templates/serviceaccount.yaml new file mode 100644 index 0000000000..f875435088 --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: certmanager + namespace: {{ .Release.Namespace }} + labels: + app: certmanager + chart: {{ template "certmanager.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/certmanager/values.yaml b/manager/manifests/istio/charts/certmanager/values.yaml new file mode 100644 index 0000000000..0685fc3c11 --- /dev/null +++ b/manager/manifests/istio/charts/certmanager/values.yaml @@ -0,0 +1,33 @@ +# Certmanager uses ACME to sign certificates. Since Istio gateways are +# mounting the TLS secrets the Certificate CRDs must be created in the +# istio-system namespace. Once the certificate has been created, the +# gateway must be updated by adding 'secretVolumes'. After the gateway +# restart, DestinationRules can be created using the ACME-signed certificates. +enabled: false +replicaCount: 1 +hub: quay.io/jetstack +tag: v0.6.2 +resources: {} +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/galley/Chart.yaml b/manager/manifests/istio/charts/galley/Chart.yaml new file mode 100644 index 0000000000..d9697db8b5 --- /dev/null +++ b/manager/manifests/istio/charts/galley/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: galley +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2" +description: Helm chart for galley deployment +keywords: + - istio + - galley +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/galley/templates/_helpers.tpl b/manager/manifests/istio/charts/galley/templates/_helpers.tpl new file mode 100644 index 0000000000..5d42f4a033 --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "galley.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "galley.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "galley.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/galley/templates/clusterrole.yaml b/manager/manifests/istio/charts/galley/templates/clusterrole.yaml new file mode 100644 index 0000000000..6385c88829 --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/clusterrole.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-galley-{{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions","apps"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods", "nodes", "services", "endpoints"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["deployments/finalizers"] + resourceNames: ["istio-galley"] + verbs: ["update"] diff --git a/manager/manifests/istio/charts/galley/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/galley/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..88cde2554b --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/galley/templates/configmap.yaml b/manager/manifests/istio/charts/galley/templates/configmap.yaml new file mode 100644 index 0000000000..b138f2ef86 --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley +data: + validatingwebhookconfiguration.yaml: |- + {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} \ No newline at end of file diff --git a/manager/manifests/istio/charts/galley/templates/deployment.yaml b/manager/manifests/istio/charts/galley/templates/deployment.yaml new file mode 100644 index 0000000000..e565c23fea --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/deployment.yaml @@ -0,0 +1,124 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-galley + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: galley + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-galley-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: galley +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 443 + - containerPort: {{ .Values.global.monitoringPort }} + - containerPort: 9901 + command: + - /usr/local/bin/galley + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/healthliveness + - --readinessProbePath=/healthready + - --readinessProbeInterval=1s + - --deployment-namespace={{ .Release.Namespace }} +{{- if $.Values.global.controlPlaneSecurityEnabled}} + - --insecure=false +{{- else }} + - --insecure=true +{{- end }} +{{- if not $.Values.global.useMCP }} + - --enable-server=false +{{- end }} + - --validation-webhook-config-file + - /etc/config/validatingwebhookconfiguration.yaml + - --monitoringPort={{ .Values.global.monitoringPort }} +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} + volumeMounts: + - name: certs + mountPath: /etc/certs + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: mesh-config + mountPath: /etc/mesh-config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthliveness + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthready + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration + - name: mesh-config + configMap: + name: istio + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/galley/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/galley/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..75bf77834a --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-galley + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ template "galley.name" . }} + release: {{ .Release.Name }} + istio: galley +{{- end }} diff --git a/manager/manifests/istio/charts/galley/templates/service.yaml b/manager/manifests/istio/charts/galley/templates/service.yaml new file mode 100644 index 0000000000..cd21fd1925 --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley +spec: + ports: + - port: 443 + name: https-validation + - port: {{ .Values.global.monitoringPort }} + name: http-monitoring + - port: 9901 + name: grpc-mcp + selector: + istio: galley diff --git a/manager/manifests/istio/charts/galley/templates/serviceaccount.yaml b/manager/manifests/istio/charts/galley/templates/serviceaccount.yaml new file mode 100644 index 0000000000..1ff54c49e7 --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-galley-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl b/manager/manifests/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl new file mode 100644 index 0000000000..7847d2433c --- /dev/null +++ b/manager/manifests/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl @@ -0,0 +1,120 @@ +{{ define "validatingwebhookconfiguration.yaml.tpl" }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-galley + labels: + app: {{ template "galley.name" . }} + chart: {{ template "galley.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: galley +webhooks: +{{- if .Values.global.configValidation }} + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: {{ .Release.Namespace }} + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + failurePolicy: Fail + sideEffects: None + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: {{ .Release.Namespace }} + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - solarwindses + - stackdrivers + - cloudwatches + - dogstatsds + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - tracespans + - adapters + - handlers + - instances + - templates + - zipkins + failurePolicy: Fail + sideEffects: None +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/galley/values.yaml b/manager/manifests/istio/charts/galley/values.yaml new file mode 100644 index 0000000000..24c0ddf31c --- /dev/null +++ b/manager/manifests/istio/charts/galley/values.yaml @@ -0,0 +1,29 @@ +# +# galley configuration +# +enabled: true +replicaCount: 1 +image: galley +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/gateways/Chart.yaml b/manager/manifests/istio/charts/gateways/Chart.yaml new file mode 100644 index 0000000000..cd08e7cfe8 --- /dev/null +++ b/manager/manifests/istio/charts/gateways/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +name: gateways +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - egressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/gateways/templates/_affinity.tpl b/manager/manifests/istio/charts/gateways/templates/_affinity.tpl new file mode 100644 index 0000000000..8e216de2c8 --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/_affinity.tpl @@ -0,0 +1,93 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "gatewaynodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewayNodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewayNodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "gatewayNodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .root.Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .root.Values.global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val }} + {{- end }} +{{- end }} + +{{- define "gatewayNodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .root.Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewaypodAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "gatewaypodAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "gatewaypodAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/_helpers.tpl b/manager/manifests/istio/charts/gateways/templates/_helpers.tpl new file mode 100644 index 0000000000..bfc8bc4004 --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "gateway.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gateway.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/gateways/templates/autoscale.yaml b/manager/manifests/istio/charts/gateways/templates/autoscale.yaml new file mode 100644 index 0000000000..2455ac3450 --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/autoscale.yaml @@ -0,0 +1,31 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +spec: + maxReplicas: {{ $spec.autoscaleMax }} + minReplicas: {{ $spec.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $key }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/deployment.yaml b/manager/manifests/istio/charts/gateways/templates/deployment.yaml new file mode 100644 index 0000000000..bf34434a0d --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/deployment.yaml @@ -0,0 +1,318 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +spec: +{{- if not $spec.autoscaleEnabled }} +{{- if $spec.replicaCount }} + replicas: {{ $spec.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + selector: + matchLabels: + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + template: + metadata: + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if $spec.podAnnotations }} +{{ toYaml $spec.podAnnotations | indent 8 }} +{{ end }} + spec: + serviceAccountName: {{ $key }}-service-account +{{- if $.Values.global.priorityClassName }} + priorityClassName: "{{ $.Values.global.priorityClassName }}" +{{- end }} +{{- if $.Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" $.Values.global.proxy_init.image }} + image: "{{ $.Values.global.proxy_init.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy_init.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + securityContext: + privileged: true +{{- end }} + containers: +{{- if $spec.sds }} +{{- if $spec.sds.enabled }} + - name: ingress-sds +{{- if contains "/" $spec.sds.image }} + image: "{{ $spec.sds.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $spec.sds.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + resources: +{{- if $spec.sds.resources }} +{{ toYaml $spec.sds.resources | indent 12 }} +{{- else }} +{{ toYaml $.Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: "ENABLE_WORKLOAD_SDS" + value: "false" + - name: "ENABLE_INGRESS_GATEWAY_SDS" + value: "true" + - name: "INGRESS_GATEWAY_NAMESPACE" + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + volumeMounts: + - name: ingressgatewaysdsudspath + mountPath: /var/run/ingress_gateway +{{- end }} +{{- end }} + - name: istio-proxy +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + {{- range $key, $val := $spec.ports }} + - containerPort: {{ $val.port }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }} + {{- if $.Values.global.proxy.logLevel }} + - --proxyLogLevel={{ $.Values.global.proxy.logLevel }} + {{- end}} + {{- if $.Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} + {{- end}} + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - {{ $key }} + - --zipkinAddress + {{- if $.Values.global.tracer.zipkin.address }} + - {{ $.Values.global.tracer.zipkin.address }} + {{- else if $.Values.global.istioNamespace }} + - zipkin.{{ $.Values.global.istioNamespace }}:9411 + {{- else }} + - zipkin:9411 + {{- end }} + {{- if $.Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }} + {{- end }} + {{- if $.Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - {{ $.Values.global.proxy.envoyMetricsService.host }}:{{ $.Values.global.proxy.envoyMetricsService.port }} + {{- end }} + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + {{- if $.Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --discoveryAddress + {{- if $.Values.global.istioNamespace }} + - istio-pilot.{{ $.Values.global.istioNamespace }}:15011 + {{- else }} + - istio-pilot:15011 + {{- end }} + {{- else }} + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + {{- if $.Values.global.istioNamespace }} + - istio-pilot.{{ $.Values.global.istioNamespace }}:15010 + {{- else }} + - istio-pilot:15010 + {{- end }} + {{- if $spec.applicationPorts }} + - --applicationPorts + - "{{ $spec.applicationPorts }}" + {{- end }} + {{- end }} + {{- if $.Values.global.trustDomain }} + - --trust-domain={{ $.Values.global.trustDomain }} + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $spec.resources }} +{{ toYaml $spec.resources | indent 12 }} +{{- else }} +{{ toYaml $.Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ISTIO_META_USER_SDS + value: "true" + {{- end }} + {{- end }} + {{- if $spec.env }} + {{- range $key, $val := $spec.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + {{- end }} + volumeMounts: + {{- if $.Values.global.sds.enabled }} + - name: sdsudspath + mountPath: /var/run/sds + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ingressgatewaysdsudspath + mountPath: /var/run/ingress_gateway + {{- end }} + {{- end }} + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- range $spec.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} +{{- if $spec.additionalContainers }} +{{ toYaml $spec.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- if $spec.sds }} + {{- if $spec.sds.enabled }} + - name: ingressgatewaysdsudspath + emptyDir: {} + {{- end }} + {{- end }} + {{- if $.Values.global.sds.enabled }} + - name: sdsudspath + hostPath: + path: /var/run/sds + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ $.Values.global.trustDomain }} + {{- end }} + {{- end }} + - name: istio-certs + secret: + secretName: istio.{{ $key }}-service-account + optional: true + {{- range $spec.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $spec.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: + {{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }} + {{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }} + {{- if $spec.tolerations }} + tolerations: +{{ toYaml $spec.tolerations | indent 6 }} + {{- else if $.Values.global.defaultTolerations }} + tolerations: +{{ toYaml $.Values.global.defaultTolerations | indent 6 }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/gateways/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..36a2d5a9cb --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/poddisruptionbudget.yaml @@ -0,0 +1,31 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "enabled") }} +{{- if $spec.enabled }} +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +spec: +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml b/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml new file mode 100644 index 0000000000..8d3dee930e --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml @@ -0,0 +1,239 @@ +{{- if .Values.global.k8sIngress.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-autogenerated-k8s-ingress + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + istio: {{ .Values.global.k8sIngress.gatewayName }} + servers: + - port: + number: 80 + protocol: HTTP2 + name: http + hosts: + - "*" +{{ if .Values.global.k8sIngress.enableHttps }} + - port: + number: 443 + protocol: HTTPS + name: https-default + tls: + mode: SIMPLE + serverCertificate: /etc/istio/ingress-certs/tls.crt + privateKey: /etc/istio/ingress-certs/tls.key + hosts: + - "*" +{{ end }} +--- +{{ end }} + +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-ilb-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + istio: ilbgateway + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 8060 + protocol: TCP + name: tcp-citadel + hosts: + - "*" + - port: + number: 15004 + name: tls-mixer + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*" +--- +{{- else }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 8060 + protocol: TCP + name: tcp-citadel + hosts: + - "*" + - port: + number: 15004 + name: tls-mixer + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH + hosts: + - "*" +--- +{{- end }} +{{- end }} + +{{- if .Values.global.multiCluster.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-egressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-egressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - hosts: + - "*.global" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + servers: + - hosts: + - "*.global" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + workloadLabels: + {{- range $key, $spec := .Values }} + {{- if eq $key "istio-ingressgateway" }} + {{- if $spec.enabled }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + filters: + - listenerMatch: + portNumber: 15443 + listenerType: GATEWAY + insertPosition: + index: AFTER + relativeTo: envoy.filters.network.sni_cluster + filterName: envoy.filters.network.tcp_cluster_rewrite + filterType: NETWORK + filterConfig: + cluster_pattern: "\\.global$" + cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" +--- +## To ensure all traffic to *.global is using mTLS +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-multicluster-destinationrule + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "gateway.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: "*.global" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/role.yaml b/manager/manifests/istio/charts/gateways/templates/role.yaml new file mode 100644 index 0000000000..de46604421 --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/role.yaml @@ -0,0 +1,18 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $key }}-sds + namespace: {{ $.Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/rolebindings.yaml b/manager/manifests/istio/charts/gateways/templates/rolebindings.yaml new file mode 100644 index 0000000000..4bb30150d7 --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/rolebindings.yaml @@ -0,0 +1,21 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $key }}-sds + namespace: {{ $.Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $key }}-sds +subjects: +- kind: ServiceAccount + name: {{ $key }}-service-account +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/service.yaml b/manager/manifests/istio/charts/gateways/templates/service.yaml new file mode 100644 index 0000000000..9474f04769 --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/service.yaml @@ -0,0 +1,59 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + annotations: + {{- range $key, $val := $spec.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +spec: +{{- if $spec.loadBalancerIP }} + loadBalancerIP: "{{ $spec.loadBalancerIP }}" +{{- end }} +{{- if $spec.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $spec.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $spec.externalTrafficPolicy }} + externalTrafficPolicy: {{$spec.externalTrafficPolicy }} +{{- end }} +{{- if $spec.externalIPs }} + externalIPs: +{{ toYaml $spec.externalIPs | indent 4 }} +{{- end }} + type: {{ .type }} + selector: + release: {{ $.Release.Name }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + ports: + {{- range $key, $val := $spec.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $spec.meshExpansionPorts }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml b/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml new file mode 100644 index 0000000000..d4f6938c10 --- /dev/null +++ b/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- range $key, $spec := .Values }} +{{- if ne $key "enabled" }} +{{- if $spec.enabled }} +apiVersion: v1 +kind: ServiceAccount +{{- if $.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range $.Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $key }}-service-account + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + app: {{ $spec.labels.app }} + chart: {{ template "gateway.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} +--- +{{- end }} +{{- end }} +{{- end }} + diff --git a/manager/manifests/istio/charts/gateways/values.yaml b/manager/manifests/istio/charts/gateways/values.yaml new file mode 100644 index 0000000000..1289afc92f --- /dev/null +++ b/manager/manifests/istio/charts/gateways/values.yaml @@ -0,0 +1,281 @@ +# +# Gateways Configuration +# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. +# You can add more gateways in addition to the defaults but make sure those are uniquely named +# and that NodePorts are not conflicting. +# Disable specifc gateway by setting the `enabled` to false. +# +enabled: true + +istio-ingressgateway: + enabled: true + # + # Secret Discovery Service (SDS) configuration for ingress gateway. + # + sds: + # If true, ingress gateway fetches credentials from SDS server to handle TLS connections. + enabled: false + # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway. + # This server runs in the same pod as ingress gateway. + image: node-agent-k8s + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + labels: + app: istio-ingressgateway + istio: ingressgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + cpu: + targetAverageUtilization: 80 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalIPs: [] + serviceAnnotations: {} + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out + ports: + ## You can add custom gateway ports + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15020 + targetPort: 15020 + name: status-port + - port: 80 + targetPort: 80 + name: http2 + nodePort: 31380 + - port: 443 + name: https + nodePort: 31390 + # Example of a port to add. Remove if not needed + - port: 31400 + name: tcp + nodePort: 31400 + ### PORTS FOR UI/metrics ##### + ## Disable if not needed + - port: 15029 + targetPort: 15029 + name: https-kiali + - port: 15030 + targetPort: 15030 + name: https-prometheus + - port: 15031 + targetPort: 15031 + name: https-grafana + - port: 15032 + targetPort: 15032 + name: https-tracing + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + #### MESH EXPANSION PORTS ######## + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + # Delete these ports if mesh expansion is not enabled, to avoid + # exposing unnecessary ports on the web. + # You can remove these ports if you are not using mesh expansion + meshExpansionPorts: + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 15004 + targetPort: 15004 + name: tcp-mixer-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + - port: 853 + targetPort: 853 + name: tcp-dns-tls + ####### end MESH EXPANSION PORTS ###### + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + ### Advanced options ############ + + # Ports to explicitly check for readiness. If configured, the readiness check will expect a + # listener on these ports. A comma separated list is expected, such as "80,443". + # + # Warning: If you do not have a gateway configured for the ports provided, this check will always + # fail. This is intended for use cases where you always expect to have a listener on the port, + # such as 80 or 443 in typical setups. + applicationPorts: "" + + env: + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote “hard” vs. “soft” requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # “security” and value “S1”. + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + +istio-egressgateway: + enabled: false + labels: + app: istio-egressgateway + istio: egressgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 256Mi + cpu: + targetAverageUtilization: 80 + serviceAnnotations: {} + podAnnotations: {} + type: ClusterIP #change to NodePort or LoadBalancer if need be + ports: + - port: 80 + name: http2 + - port: 443 + name: https + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + #### Advanced options ######## + env: + # Set this to "external" if and only if you want the egress gateway to + # act as a transparent SNI gateway that routes mTLS/TLS traffic to + # external services defined using service entries, where the service + # entry has resolution set to DNS, has one or more endpoints with + # network field set to "external". By default its set to "" so that + # the egress gateway sees the same set of endpoints as the sidecars + # preserving backward compatibility + # ISTIO_META_REQUESTED_NETWORK_VIEW: "" + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote “hard” vs. “soft” requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # “security” and value “S1”. + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + +# Mesh ILB gateway creates a gateway of type InternalLoadBalancer, +# for mesh expansion. It exposes the mtls ports for Pilot,CA as well +# as non-mtls ports to support upgrades and gradual transition. +istio-ilbgateway: + enabled: false + labels: + app: istio-ilbgateway + istio: ilbgateway + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + # specify replicaCount when autoscaleEnabled: false + # replicaCount: 1 + cpu: + targetAverageUtilization: 80 + resources: + requests: + cpu: 800m + memory: 512Mi + #limits: + # cpu: 1800m + # memory: 256Mi + loadBalancerIP: "" + serviceAnnotations: + cloud.google.com/load-balancer-type: "internal" + podAnnotations: {} + type: LoadBalancer + ports: + ## You can add custom gateway ports - google ILB default quota is 5 ports, + - port: 15011 + name: grpc-pilot-mtls + # Insecure port - only for migration from 0.8. Will be removed in 1.1 + - port: 15010 + name: grpc-pilot + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + # Port 5353 is forwarded to kube-dns + - port: 5353 + name: tcp-dns + secretVolumes: + - name: ilbgateway-certs + secretName: istio-ilbgateway-certs + mountPath: /etc/istio/ilbgateway-certs + - name: ilbgateway-ca-certs + secretName: istio-ilbgateway-ca-certs + mountPath: /etc/istio/ilbgateway-ca-certs + nodeSelector: {} + tolerations: [] diff --git a/manager/manifests/istio/charts/grafana/Chart.yaml b/manager/manifests/istio/charts/grafana/Chart.yaml new file mode 100644 index 0000000000..1e951c944f --- /dev/null +++ b/manager/manifests/istio/charts/grafana/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: grafana +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/grafana/dashboards/galley-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/galley-dashboard.json new file mode 100644 index 0000000000..e4d7968003 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/dashboards/galley-dashboard.json @@ -0,0 +1,1819 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 46, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"galley\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Galley Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 40, + "panels": [], + "title": "Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 36, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "A" + }, + { + "expr": "process_resident_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "B" + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "C" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F" + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "G" + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "H" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Total (kis)", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 38, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "galley (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 12, + "y": 6 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Open FDs (galley)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} ", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 6 + }, + "id": 44, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "goroutines_total", + "refId": "A" + }, + { + "expr": "galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "clients_total", + "refId": "B" + }, + { + "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "avg_goroutines_per_client", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 14 + }, + "id": 10, + "panels": [], + "title": "Runtime", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 15 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Strategy Change Events", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Processed Events", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Snapshot Published", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Event Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 15 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Max Time Reached", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Quiesce Reached", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Timer Resets", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Timer Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 15 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 3, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P95", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Events Per Snapshot", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ typeURL }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "State Type Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Count", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 34, + "panels": [], + "title": "Validation", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 28 + }, + "id": 28, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 28 + }, + "id": 30, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 28 + }, + "id": 32, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 34 + }, + "id": 12, + "panels": [], + "title": "Kubernetes Source", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_event_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Success", + "refId": "A" + }, + { + "expr": "rate(galley_source_kube_event_error_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Source Event Rate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 16, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Successes", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Conversions/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 24, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Failures/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 41 + }, + "id": 18, + "panels": [], + "title": "Mesh Configuration Protocol", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 20, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_mcp_source_clients_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Clients", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Connected Clients", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 42 + }, + "id": 22, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request ACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "ACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 42 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request NACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "NACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "TSEY6jLmk", + "version": 1 +} diff --git a/manager/manifests/istio/charts/grafana/dashboards/istio-mesh-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/istio-mesh-dashboard.json new file mode 100644 index 0000000000..99c911f4d2 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/dashboards/istio-mesh-dashboard.json @@ -0,0 +1,953 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "content": "
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
\n Need help? Join the Istio community.\n
\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 45 + }, + "id": 111, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "version": 4 +} diff --git a/manager/manifests/istio/charts/grafana/dashboards/istio-performance-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/istio-performance-dashboard.json new file mode 100644 index 0000000000..20d9446dcf --- /dev/null +++ b/manager/manifests/istio/charts/grafana/dashboards/istio-performance-dashboard.json @@ -0,0 +1,1822 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": 9, + "links": [], + "panels": [ + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 21, + "panels": [ + { + "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.\n\n\n", + "gridPos": { + "h": 6, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 19, + "links": [], + "mode": "markdown", + "timeFrom": null, + "timeShift": null, + "title": "Performance Dashboard README", + "transparent": true, + "type": "text" + } + ], + "title": "Performance Dashboard Notes", + "type": "row" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 6, + "panels": [], + "title": "vCPU Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "fill": 1, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 2 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "fill": 1, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 10 + }, + "id": 13, + "panels": [], + "title": "Memory and Data Rates", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "fill": 1, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 11 + }, + "id": 902, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio proxy", + "refId": "C" + }, + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory Usage", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "fill": 1, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 11 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio_policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 17, + "panels": [], + "title": "Istio Component Versions", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "fill": 1, + "gridPos": { + "h": 8, + "w": 24, + "x": 0, + "y": 20 + }, + "id": 15, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 31 + }, + "id": 71, + "panels": [], + "title": "Proxy Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 32 + }, + "id": 72, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(container_memory_usage_bytes{container_name=\"istio-proxy\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 32 + }, + "id": 73, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 32 + }, + "id": 702, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(container_fs_usage_bytes{container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 39 + }, + "id": 69, + "panels": [], + "title": "Pilot Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 40 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 40 + }, + "id": 602, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 40 + }, + "id": 74, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 40 + }, + "id": 402, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 47 + }, + "id": 93, + "panels": [], + "title": "Mixer Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 48 + }, + "id": 94, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=~\"istio-policy|istio-telemetry\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 48 + }, + "id": 95, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=~\"istio-policy|istio-telemetry\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 48 + }, + "id": 96, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=~\"istio-policy|istio-telemetry\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 48 + }, + "id": 97, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"istio-telemetry\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 18, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "uid": "vu8e0VWZk", + "version": 22 +} diff --git a/manager/manifests/istio/charts/grafana/dashboards/istio-service-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/istio-service-dashboard.json new file mode 100644 index 0000000000..871dc3d814 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/dashboards/istio-service-dashboard.json @@ -0,0 +1,2601 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "iteration": 1536442501501, + "links": [], + "panels": [ + { + "content": "
\nSERVICE: $service\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Received Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Sent Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nCLIENT WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "
\nSERVICE WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 1 +} diff --git a/manager/manifests/istio/charts/grafana/dashboards/istio-workload-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/istio-workload-dashboard.json new file mode 100644 index 0000000000..d0953c078d --- /dev/null +++ b/manager/manifests/istio/charts/grafana/dashboards/istio-workload-dashboard.json @@ -0,0 +1,2303 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
\nWORKLOAD: $workload.$namespace\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nINBOUND WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
\nOUTBOUND SERVICES\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} diff --git a/manager/manifests/istio/charts/grafana/dashboards/mixer-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/mixer-dashboard.json new file mode 100644 index 0000000000..8ca438c497 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/dashboards/mixer-dashboard.json @@ -0,0 +1,1808 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1543881232533, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 62, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 64, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"mixer\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Mixer Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Mixer Overview

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 21 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_server_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 21 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 21 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 21 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Adapters and Config

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 30 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 30 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 37 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 37 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 37 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 37 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Individual Adapters

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 44 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 47 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 48 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 48 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Mixer Dashboard", + "version": 4 +} diff --git a/manager/manifests/istio/charts/grafana/dashboards/pilot-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/pilot-dashboard.json new file mode 100644 index 0000000000..cca5509b3a --- /dev/null +++ b/manager/manifests/istio/charts/grafana/dashboards/pilot-dashboard.json @@ -0,0 +1,1788 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": 6, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 60, + "panels": [], + "title": "Deployed Versions", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"pilot\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Pilot Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 6 + }, + "id": 62, + "panels": [], + "title": "Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 14 + }, + "id": 58, + "panels": [], + "title": "Pilot Push Information", + "type": "row" + }, + { + "aliasColors": {}, + "bars": true, + "dashLength": 10, + "dashes": false, + "description": "Shows pilot pushes", + "fill": 1, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 15 + }, + "id": 622, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": false, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "paceLength": 10, + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(pilot_xds_pushes{type!~\".*_senderr\"}[1m])) by (type)", + "format": "time_series", + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ type }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Pilot Pushes", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "Captures a variety of pilot errors", + "fill": 1, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 15 + }, + "id": 67, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "sum(rate(pilot_xds_push_errors{job=\"pilot\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Pilot Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 23 + }, + "id": 64, + "panels": [], + "title": "xDS", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 24 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 24 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 24 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 30 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 30 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 30 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 38 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 38 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 38 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 45 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 18, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Pilot Dashboard", + "uid": "3--MLVZZk", + "version": 1 +} diff --git a/manager/manifests/istio/charts/grafana/templates/_helpers.tpl b/manager/manifests/istio/charts/grafana/templates/_helpers.tpl new file mode 100644 index 0000000000..9d4c59205c --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "grafana.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "grafana.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "grafana.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/grafana/templates/configmap-custom-resources.yaml b/manager/manifests/istio/charts/grafana/templates/configmap-custom-resources.yaml new file mode 100644 index 0000000000..b89bc07654 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/configmap-custom-resources.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: grafana +data: + custom-resources.yaml: |- + {{- include "grafana-default.yaml.tpl" . | indent 4}} + run.sh: |- + {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/manager/manifests/istio/charts/grafana/templates/configmap-dashboards.yaml b/manager/manifests/istio/charts/grafana/templates/configmap-dashboards.yaml new file mode 100644 index 0000000000..dd1ab0d75a --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/configmap-dashboards.yaml @@ -0,0 +1,18 @@ +{{- $files := .Files }} +{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} +{{- $filename := trimSuffix (ext $path) (base $path) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-{{ $filename }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ template "grafana.name" $ }} + chart: {{ template "grafana.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + istio: grafana +data: + {{ base $path }}: '{{ $files.Get $path }}' +--- +{{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/configmap.yaml b/manager/manifests/istio/charts/grafana/templates/configmap.yaml new file mode 100644 index 0000000000..c86efe1f4c --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: grafana +data: +{{- if .Values.datasources }} + {{- range $key, $value := .Values.datasources }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/grafana/templates/create-custom-resources-job.yaml b/manager/manifests/istio/charts/grafana/templates/create-custom-resources-job.yaml new file mode 100644 index 0000000000..8f179d5cc5 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/create-custom-resources-job.yaml @@ -0,0 +1,101 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-grafana-post-install-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-grafana-post-install-{{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-grafana-post-install-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-grafana-post-install-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-grafana-post-install-account + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-grafana-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + template: + metadata: + name: istio-grafana-post-install + labels: + app: istio-grafana + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-grafana-post-install-account + containers: + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/grafana" + name: tmp-configmap-grafana + volumes: + - name: tmp-configmap-grafana + configMap: + name: istio-grafana-custom-resources + restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/deployment.yaml b/manager/manifests/istio/charts/grafana/templates/deployment.yaml new file mode 100644 index 0000000000..b5cf7fc419 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/deployment.yaml @@ -0,0 +1,127 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: grafana + template: + metadata: + labels: + app: grafana + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + spec: + securityContext: + runAsUser: 472 + fsGroup: 472 +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 3000 + readinessProbe: + httpGet: + path: /login + port: 3000 + env: + - name: GRAFANA_PORT + value: "3000" +{{- if .Values.security.enabled }} + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ .Values.security.secretName }} + key: {{ .Values.security.usernameKey }} + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.security.secretName }} + key: {{ .Values.security.passphraseKey }} + - name: GF_AUTH_BASIC_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "false" + - name: GF_AUTH_DISABLE_LOGIN_FORM + value: "false" +{{- else }} + - name: GF_AUTH_BASIC_ENABLED + value: "false" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ORG_ROLE + value: Admin +{{- end }} + - name: GF_PATHS_DATA + value: /data/grafana + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /data/grafana + {{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} + {{- $filename := trimSuffix (ext $path) (base $path) }} + - name: dashboards-istio-{{ $filename }} + mountPath: "/var/lib/grafana/dashboards/istio/{{ base $path }}" + subPath: {{ base $path }} + readOnly: true + {{- end }} + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} + volumes: + - name: config + configMap: + name: istio-grafana + - name: data +{{- if .Values.persist }} + persistentVolumeClaim: + claimName: istio-grafana-pvc +{{- else }} + emptyDir: {} +{{- end }} +{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} +{{- $filename := trimSuffix (ext $path) (base $path) }} + - name: dashboards-istio-{{ $filename }} + configMap: + name: istio-grafana-configuration-dashboards-{{ $filename }} +{{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/grafana-ports-mtls.yaml b/manager/manifests/istio/charts/grafana/templates/grafana-ports-mtls.yaml new file mode 100644 index 0000000000..b9a3926518 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/grafana-ports-mtls.yaml @@ -0,0 +1,17 @@ +{{ define "grafana-default.yaml.tpl" }} +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: + name: grafana-ports-mtls-disabled + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + targets: + - name: grafana + ports: + - number: {{ .Values.service.externalPort }} +{{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/ingress.yaml b/manager/manifests/istio/charts/grafana/templates/ingress.yaml new file mode 100644 index 0000000000..0ebe71f61d --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: grafana + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: grafana + servicePort: 3000 + {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: grafana + servicePort: 3000 +{{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/grafana/templates/pvc.yaml b/manager/manifests/istio/charts/grafana/templates/pvc.yaml new file mode 100644 index 0000000000..e376a13a52 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/pvc.yaml @@ -0,0 +1,19 @@ +{{- if .Values.persist }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-grafana-pvc + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + storageClassName: {{ .Values.storageClassName }} + accessModes: + - {{ .Values.accessMode }} + resources: + requests: + storage: 5Gi +{{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/service.yaml b/manager/manifests/istio/charts/grafana/templates/service.yaml new file mode 100644 index 0000000000..1dfd82c336 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/service.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ template "grafana.name" . }} + chart: {{ template "grafana.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: 3000 + protocol: TCP + name: {{ .Values.service.name }} + selector: + app: grafana +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} + {{if .Values.service.loadBalancerSourceRanges}} + loadBalancerSourceRanges: + {{range $rangeList := .Values.service.loadBalancerSourceRanges}} + - {{ $rangeList }} + {{end}} + {{end}} \ No newline at end of file diff --git a/manager/manifests/istio/charts/grafana/templates/tests/test-grafana-connection.yaml b/manager/manifests/istio/charts/grafana/templates/tests/test-grafana-connection.yaml new file mode 100644 index 0000000000..29a913a030 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/templates/tests/test-grafana-connection.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "grafana.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: grafana-test + chart: {{ template "grafana.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: grafana + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "grafana.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + args: ['http://grafana:{{ .Values.grafana.service.externalPort }}'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 2 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 2 }} + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/grafana/values.yaml b/manager/manifests/istio/charts/grafana/values.yaml new file mode 100644 index 0000000000..454bb44950 --- /dev/null +++ b/manager/manifests/istio/charts/grafana/values.yaml @@ -0,0 +1,87 @@ +# +# addon grafana configuration +# +enabled: false +replicaCount: 1 +image: + repository: grafana/grafana + tag: 6.1.6 +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - grafana.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: grafana-tls + # hosts: + # - grafana.local +persist: false +storageClassName: "" +accessMode: ReadWriteMany +security: + enabled: false + secretName: grafana + usernameKey: username + passphraseKey: passphrase +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] + +contextPath: /grafana +service: + annotations: {} + name: http + type: ClusterIP + externalPort: 3000 + loadBalancerIP: + loadBalancerSourceRanges: + +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + orgId: 1 + url: http://prometheus:9090 + access: proxy + isDefault: true + jsonData: + timeInterval: 5s + editable: true + +dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'istio' + orgId: 1 + folder: 'istio' + type: file + disableDeletion: false + options: + path: /var/lib/grafana/dashboards/istio diff --git a/manager/manifests/istio/charts/istiocoredns/Chart.yaml b/manager/manifests/istio/charts/istiocoredns/Chart.yaml new file mode 100644 index 0000000000..a1b9392e14 --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Istio CoreDNS provides DNS resolution for services in multicluster setups. +name: istiocoredns +version: 1.2.2 +appVersion: 0.1 +tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/istiocoredns/templates/_helpers.tpl b/manager/manifests/istio/charts/istiocoredns/templates/_helpers.tpl new file mode 100644 index 0000000000..e7add11bb3 --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istiocoredns.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istiocoredns.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istiocoredns.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/istiocoredns/templates/clusterrole.yaml b/manager/manifests/istio/charts/istiocoredns/templates/clusterrole.yaml new file mode 100644 index 0000000000..4242a327ff --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/templates/clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiocoredns + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] diff --git a/manager/manifests/istio/charts/istiocoredns/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/istiocoredns/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..bafd0ca3bc --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-istiocoredns-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiocoredns +subjects: +- kind: ServiceAccount + name: istiocoredns-service-account + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/istiocoredns/templates/configmap.yaml b/manager/manifests/istio/charts/istiocoredns/templates/configmap.yaml new file mode 100644 index 0000000000..50d166fe5e --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/templates/configmap.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + Corefile: | + .:53 { + errors + health + proxy global 127.0.0.1:8053 { + protocol grpc insecure + } + prometheus :9153 + proxy . /etc/resolv.conf + cache 30 + reload + } +--- diff --git a/manager/manifests/istio/charts/istiocoredns/templates/deployment.yaml b/manager/manifests/istio/charts/istiocoredns/templates/deployment.yaml new file mode 100644 index 0000000000..8ecae0e3ad --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/templates/deployment.yaml @@ -0,0 +1,96 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiocoredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: istiocoredns + template: + metadata: + name: istiocoredns + labels: + app: istiocoredns + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istiocoredns-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: coredns + image: {{ .Values.coreDNSImage }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + - name: istio-coredns-plugin + command: + - /usr/local/bin/plugin + image: {{ .Values.coreDNSPluginImage }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 8053 + name: dns-grpc + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/istiocoredns/templates/service.yaml b/manager/manifests/istio/charts/istiocoredns/templates/service.yaml new file mode 100644 index 0000000000..a6311017cc --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiocoredns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + app: istiocoredns + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP diff --git a/manager/manifests/istio/charts/istiocoredns/templates/serviceaccount.yaml b/manager/manifests/istio/charts/istiocoredns/templates/serviceaccount.yaml new file mode 100644 index 0000000000..e2627cf45e --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istiocoredns-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istiocoredns.name" . }} + chart: {{ template "istiocoredns.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/istiocoredns/values.yaml b/manager/manifests/istio/charts/istiocoredns/values.yaml new file mode 100644 index 0000000000..0a928c83c2 --- /dev/null +++ b/manager/manifests/istio/charts/istiocoredns/values.yaml @@ -0,0 +1,33 @@ +# +# addon istiocoredns tracing configuration +# +enabled: false +replicaCount: 1 +coreDNSImage: coredns/coredns:1.1.2 +# Source code for the plugin can be found at +# https://github.com/istio-ecosystem/istio-coredns-plugin +# The plugin listens for DNS requests from coredns server at 127.0.0.1:8053 +coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/kiali/Chart.yaml b/manager/manifests/istio/charts/kiali/Chart.yaml new file mode 100644 index 0000000000..c1240aaf95 --- /dev/null +++ b/manager/manifests/istio/charts/kiali/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details. +name: kiali +version: 1.2.2 +appVersion: 0.20 +tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/kiali/templates/_helpers.tpl b/manager/manifests/istio/charts/kiali/templates/_helpers.tpl new file mode 100644 index 0000000000..6b00957697 --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kiali.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kiali.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/kiali/templates/clusterrole.yaml b/manager/manifests/istio/charts/kiali/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fd657cc53 --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/clusterrole.yaml @@ -0,0 +1,265 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - pods/log + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - adapters + - apikeys + - bypasses + - authorizations + - checknothings + - circonuses + - cloudwatches + - deniers + - dogstatsds + - edges + - fluentds + - handlers + - instances + - kubernetesenvs + - kuberneteses + - listcheckers + - listentries + - logentries + - memquotas + - metrics + - noops + - opas + - prometheuses + - quotas + - quotaspecbindings + - quotaspecs + - rbacs + - redisquotas + - reportnothings + - rules + - signalfxs + - solarwindses + - stackdrivers + - statsds + - stdios + - templates + - tracespans + - zipkins + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - meshpolicies + - policies + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - servicerolebindings + - serviceroles + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - pods/log + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - adapters + - apikeys + - bypasses + - authorizations + - checknothings + - circonuses + - cloudwatches + - deniers + - dogstatsds + - edges + - fluentds + - handlers + - instances + - kubernetesenvs + - kuberneteses + - listcheckers + - listentries + - logentries + - memquotas + - metrics + - noops + - opas + - prometheuses + - quotas + - quotaspecbindings + - quotaspecs + - rbacs + - redisquotas + - reportnothings + - rules + - signalfxs + - solarwindses + - stackdrivers + - statsds + - stdios + - templates + - tracespans + - zipkins + verbs: + - get + - list + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - get + - list + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - meshpolicies + - policies + verbs: + - get + - list + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - servicerolebindings + - serviceroles + verbs: + - get + - list + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get + - list diff --git a/manager/manifests/istio/charts/kiali/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/kiali/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..cf1652955e --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-kiali-admin-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali{{- if .Values.dashboard.viewOnlyMode }}-viewer{{- end }} +subjects: +- kind: ServiceAccount + name: kiali-service-account + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/kiali/templates/configmap.yaml b/manager/manifests/istio/charts/kiali/templates/configmap.yaml new file mode 100644 index 0000000000..a6fa1b3aac --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/configmap.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + config.yaml: | + istio_namespace: {{ .Release.Namespace }} + auth: + strategy: "login" + server: + port: 20001 +{{- if .Values.contextPath }} + web_root: {{ .Values.contextPath }} +{{- end }} + external_services: + tracing: + url: {{ .Values.dashboard.jaegerURL }} + grafana: + url: {{ .Values.dashboard.grafanaURL }} + prometheus: + url: {{ .Values.prometheusAddr }} diff --git a/manager/manifests/istio/charts/kiali/templates/demosecret.yaml b/manager/manifests/istio/charts/kiali/templates/demosecret.yaml new file mode 100644 index 0000000000..ad44298c3f --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/demosecret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.createDemoSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.dashboard.secretName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +data: + username: YWRtaW4= # admin + passphrase: YWRtaW4= # admin +{{- end }} diff --git a/manager/manifests/istio/charts/kiali/templates/deployment.yaml b/manager/manifests/istio/charts/kiali/templates/deployment.yaml new file mode 100644 index 0000000000..67e81b1263 --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/deployment.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: kiali + template: + metadata: + name: kiali + labels: + app: kiali + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + spec: + serviceAccountName: kiali-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - image: "{{ .Values.hub }}/kiali:{{ .Values.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + - "-v" + - "4" + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + - name: kiali-secret + mountPath: "/kiali-secret" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumes: + - name: kiali-configuration + configMap: + name: kiali + - name: kiali-secret + secret: + secretName: {{ .Values.dashboard.secretName }} + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/kiali/templates/ingress.yaml b/manager/manifests/istio/charts/kiali/templates/ingress.yaml new file mode 100644 index 0000000000..2e2a0de3af --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: kiali + servicePort: 20001 + {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: kiali + servicePort: 20001 +{{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/kiali/templates/service.yaml b/manager/manifests/istio/charts/kiali/templates/service.yaml new file mode 100644 index 0000000000..1aa79bfdbb --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + ports: + - name: http-kiali + protocol: TCP + port: 20001 + selector: + app: kiali diff --git a/manager/manifests/istio/charts/kiali/templates/serviceaccount.yaml b/manager/manifests/istio/charts/kiali/templates/serviceaccount.yaml new file mode 100644 index 0000000000..2ae38a1ab0 --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: kiali-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "kiali.name" . }} + chart: {{ template "kiali.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/kiali/templates/tests/test-kiali-connection.yaml b/manager/manifests/istio/charts/kiali/templates/tests/test-kiali-connection.yaml new file mode 100644 index 0000000000..2697a705c3 --- /dev/null +++ b/manager/manifests/istio/charts/kiali/templates/tests/test-kiali-connection.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "kiali.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: kiali-test + chart: {{ template "kiali.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: kiali + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "kiali.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + args: ['http://kiali:20001'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 2 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 2 }} + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/kiali/values.yaml b/manager/manifests/istio/charts/kiali/values.yaml new file mode 100644 index 0000000000..0bc05e8a01 --- /dev/null +++ b/manager/manifests/istio/charts/kiali/values.yaml @@ -0,0 +1,55 @@ +# +# addon kiali +# +enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`. +replicaCount: 1 +hub: quay.io/kiali +tag: v0.20 +contextPath: /kiali # The root context path to access the Kiali UI. +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] + +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - kiali.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: kiali-tls + # hosts: + # - kiali.local + +dashboard: + secretName: kiali # You must create a secret with this name - one is not provided out-of-box. + viewOnlyMode: false # Bind the service account to a role with only read access + grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown. + jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown. +prometheusAddr: http://prometheus:9090 + +# When true, a secret will be created with a default username and password. Useful for demos. +createDemoSecret: false diff --git a/manager/manifests/istio/charts/mixer/Chart.yaml b/manager/manifests/istio/charts/mixer/Chart.yaml new file mode 100644 index 0000000000..1f297ad36c --- /dev/null +++ b/manager/manifests/istio/charts/mixer/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: mixer +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2" +description: Helm chart for mixer deployment +keywords: + - istio + - mixer +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/mixer/templates/_helpers.tpl b/manager/manifests/istio/charts/mixer/templates/_helpers.tpl new file mode 100644 index 0000000000..dac6da0366 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mixer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mixer.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "mixer.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/mixer/templates/autoscale.yaml b/manager/manifests/istio/charts/mixer/templates/autoscale.yaml new file mode 100644 index 0000000000..377b47d033 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/autoscale.yaml @@ -0,0 +1,29 @@ +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-{{ $key }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ template "mixer.name" $ }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} +spec: + maxReplicas: {{ $spec.autoscaleMax }} + minReplicas: {{ $spec.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-{{ $key }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/clusterrole.yaml b/manager/manifests/istio/charts/mixer/templates/clusterrole.yaml new file mode 100644 index 0000000000..3d7438f2d3 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/clusterrole.yaml @@ -0,0 +1,24 @@ +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-mixer-{{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["config.istio.io"] # istio CRD watcher + resources: ["*"] + verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/mixer/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..773e68b343 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-mixer-admin-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-mixer-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/config.yaml b/manager/manifests/istio/charts/mixer/templates/config.yaml new file mode 100644 index 0000000000..cc0f046da9 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/config.yaml @@ -0,0 +1,1086 @@ +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.url_path: + valueType: STRING + request.query_params: + valueType: STRING_MAP + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + response.grpc_status: + valueType: STRING + response.grpc_message: + valueType: STRING + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + connection.requested_server_name: + valueType: STRING + context.protocol: + valueType: STRING + context.proxy_error_code: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING + rbac.permissive.response_code: + valueType: STRING + rbac.permissive.effective_policy_id: + valueType: STRING + check.error_code: + valueType: INT64 + check.error_message: + valueType: STRING + check.cache_hit: + valueType: BOOL + quota.cache_hit: + valueType: BOOL + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +{{- if and .Values.adapters.stdio.enabled .Values.telemetry.enabled }} +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: stdio + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledAdapter: stdio + params: + outputAsJson: {{ .Values.adapters.stdio.outputAsJson }} +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: accesslog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: logentry + params: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseFlags: context.proxy_error_code | "" + responseSize: response.size | 0 + permissiveResponseCode: rbac.permissive.response_code | "none" + permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + grpcStatus: response.grpc_status | "" + grpcMessage: response.grpc_message | "" + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: tcpaccesslog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: logentry + params: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + responseFlags: context.proxy_error_code | "" + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: stdio + instances: + - accesslog +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + match: context.protocol == "tcp" + actions: + - handler: stdio + instances: + - tcpaccesslog +{{- end }} +--- +{{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }} +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: requestcount + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: requestduration + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: metric + params: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: requestsize + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: metric + params: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: responsesize + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: metric + params: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: tcpbytesent + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: metric + params: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: tcpbytereceived + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: metric + params: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: tcpconnectionsopened + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: tcpconnectionsclosed + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: metric + params: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledAdapter: prometheus + params: + metricsExpirationPolicy: + metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}" + metrics: + - name: requests_total + instance_name: requestcount.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.instance.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_opened_total + instance_name: tcpconnectionsopened.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_closed_total + instance_name: tcpconnectionsclosed.instance.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) + actions: + - handler: prometheus + instances: + - requestcount + - requestduration + - requestsize + - responsesize +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + match: context.protocol == "tcp" + actions: + - handler: prometheus + instances: + - tcpbytesent + - tcpbytereceived +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionopen + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "open") + actions: + - handler: prometheus + instances: + - tcpconnectionsopened +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionclosed + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "close") + actions: + - handler: prometheus + instances: + - tcpconnectionsclosed +{{- end }} +--- +{{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }} +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: kubernetesenv + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledAdapter: kubernetesenv + params: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + actions: + - handler: kubernetesenv + instances: + - attributes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + match: context.protocol == "tcp" + actions: + - handler: kubernetesenv + instances: + - attributes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: attributes + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + compiledTemplate: kubernetes + params: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attributeBindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" +{{- end }} +--- +{{- if .Values.policy.enabled }} +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + {{- if .Values.global.controlPlaneSecurityEnabled }} + portLevelSettings: + - port: + number: 15004 + tls: + mode: ISTIO_MUTUAL + {{- end}} + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +{{- end }} +--- +{{- if .Values.telemetry.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + {{- if .Values.global.controlPlaneSecurityEnabled }} + portLevelSettings: + - port: + number: 15004 + tls: + mode: ISTIO_MUTUAL + {{- end}} + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +{{- end }} +--- +{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/deployment.yaml b/manager/manifests/istio/charts/mixer/templates/deployment.yaml new file mode 100644 index 0000000000..79063d1950 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/deployment.yaml @@ -0,0 +1,428 @@ +{{- define "policy_container" }} + spec: + serviceAccountName: istio-mixer-service-account +{{- if $.Values.global.priorityClassName }} + priorityClassName: "{{ $.Values.global.priorityClassName }}" +{{- end }} + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} + - name: uds-socket + emptyDir: {} + - name: policy-adapter-secret + secret: + secretName: policy-adapter-secret + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} + containers: + - name: mixer +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + - containerPort: {{ .Values.global.monitoringPort }} + - containerPort: 42422 + args: + - --monitoringPort={{ .Values.global.monitoringPort }} + - --address + - unix:///sock/mixer.socket +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} +{{- if $.Values.global.useMCP }} + {{- if $.Values.global.controlPlaneSecurityEnabled}} + - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- else }} + - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- end }} +{{- else }} + - --configStoreURL=k8s:// +{{- end }} + - --configDefaultNamespace={{ $.Release.Namespace }} + {{- if $.Values.adapters.useAdapterCRDs }} + - --useAdapterCRDs=true + {{- else }} + - --useAdapterCRDs=false + {{- end }} + {{- if $.Values.templates.useTemplateCRDs }} + - --useTemplateCRDs=true + {{- else }} + - --useTemplateCRDs=false + {{- end }} + {{- if $.Values.global.tracer.zipkin.address }} + - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans + {{- else }} + - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans + {{- end }} + {{- if .Values.env }} + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + resources: +{{- if .Values.policy.resources }} +{{ toYaml .Values.policy.resources | indent 10 }} +{{- else if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumeMounts: +{{- if $.Values.global.useMCP }} + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- end }} + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: {{ .Values.global.monitoringPort }} + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }} + - --serviceCluster + - istio-policy + - --templateFile + - /etc/istio/proxy/envoy_policy.yaml.tmpl + {{- if $.Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + {{- else }} + - --controlPlaneAuthPolicy + - NONE + {{- end }} + {{- if $.Values.global.trustDomain }} + - --trust-domain={{ $.Values.global.trustDomain }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: +{{- if $.Values.global.proxy.resources }} +{{ toYaml $.Values.global.proxy.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} + - name: uds-socket + mountPath: /sock + - name: policy-adapter-secret + mountPath: /var/run/secrets/istio.io/policy/adapter + readOnly: true +{{- end }} + +{{- define "telemetry_container" }} + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} + - name: uds-socket + emptyDir: {} + - name: telemetry-adapter-secret + secret: + secretName: telemetry-adapter-secret + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} + containers: + - name: mixer +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + - containerPort: {{ .Values.global.monitoringPort }} + - containerPort: 42422 + args: + - --monitoringPort={{ .Values.global.monitoringPort }} + - --address + - unix:///sock/mixer.socket +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} +{{- if $.Values.global.useMCP }} + {{- if $.Values.global.controlPlaneSecurityEnabled}} + - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901 + - --certFile=/etc/certs/cert-chain.pem + - --keyFile=/etc/certs/key.pem + - --caCertFile=/etc/certs/root-cert.pem + {{- else }} + - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- end }} +{{- else }} + - --configStoreURL=k8s:// +{{- end }} + - --configDefaultNamespace={{ $.Release.Namespace }} + {{- if $.Values.adapters.useAdapterCRDs }} + - --useAdapterCRDs=true + {{- else }} + - --useAdapterCRDs=false + {{- end }} + {{- if $.Values.templates.useTemplateCRDs }} + - --useTemplateCRDs=true + {{- else }} + - --useTemplateCRDs=false + {{- end }} + {{- if $.Values.global.tracer.zipkin.address }} + - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans + {{- else }} + - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans + {{- end }} + - --averageLatencyThreshold + - {{ $.Values.telemetry.loadshedding.latencyThreshold }} + - --loadsheddingMode + - {{ $.Values.telemetry.loadshedding.mode }} + {{- if .Values.env }} + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + resources: +{{- if .Values.telemetry.resources }} +{{ toYaml .Values.telemetry.resources | indent 10 }} +{{- else if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumeMounts: +{{- if $.Values.global.useMCP }} + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- end }} + - name: telemetry-adapter-secret + mountPath: /var/run/secrets/istio.io/telemetry/adapter + readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: {{ .Values.global.monitoringPort }} + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - istio-telemetry + - --templateFile + - /etc/istio/proxy/envoy_telemetry.yaml.tmpl + {{- if $.Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + {{- else }} + - --controlPlaneAuthPolicy + - NONE + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: +{{- if $.Values.global.proxy.resources }} +{{ toYaml $.Values.global.proxy.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} + - name: uds-socket + mountPath: /sock +{{- end }} + + +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-{{ $key }} + namespace: {{ $.Release.Namespace }} + labels: + app: istio-mixer + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + istio: mixer +spec: +{{- if not $spec.autoscaleEnabled }} +{{- if $spec.replicaCount }} + replicas: {{ $spec.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: {{ $key }} + template: + metadata: + labels: + app: {{ $key }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + istio: mixer + istio-mixer-type: {{ $key }} + annotations: + sidecar.istio.io/inject: "false" +{{- with $.Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- if eq $key "policy"}} +{{- template "policy_container" $ }} +{{- else }} +{{- template "telemetry_container" $ }} +{{- end }} + +--- +{{- end }} +{{- end }} +{{- end }} {{/* range */}} diff --git a/manager/manifests/istio/charts/mixer/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/mixer/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..a6bfe8668a --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/poddisruptionbudget.yaml @@ -0,0 +1,32 @@ +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-{{ $key }} + namespace: {{ $.Release.Namespace }} + labels: + app: {{ $key }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + version: {{ $.Chart.Version }} + istio: mixer + istio-mixer-type: {{ $key }} +spec: +{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ $key }} + release: {{ $.Release.Name }} + istio: mixer + istio-mixer-type: {{ $key }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/service.yaml b/manager/manifests/istio/charts/mixer/templates/service.yaml new file mode 100644 index 0000000000..79cc4a5820 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/service.yaml @@ -0,0 +1,39 @@ +{{- range $key, $spec := .Values }} +{{- if or (eq $key "policy") (eq $key "telemetry") }} +{{- if $spec.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istio-{{ $key }} + namespace: {{ $.Release.Namespace }} + annotations: + networking.istio.io/exportTo: "*" + labels: + app: {{ template "mixer.name" $ }} + chart: {{ template "mixer.chart" $ }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: {{ $.Values.global.monitoringPort }} +{{- if eq $key "telemetry" }} + - name: prometheus + port: 42422 +{{- if $spec.sessionAffinityEnabled }} + sessionAffinity: ClientIP +{{- end }} +{{- end }} + selector: + istio: mixer + istio-mixer-type: {{ $key }} +--- +{{- end }} +{{- end }} +{{- end }} + diff --git a/manager/manifests/istio/charts/mixer/templates/serviceaccount.yaml b/manager/manifests/istio/charts/mixer/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9d3da7dd63 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-mixer-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ template "mixer.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- end }} diff --git a/manager/manifests/istio/charts/mixer/values.yaml b/manager/manifests/istio/charts/mixer/values.yaml new file mode 100644 index 0000000000..1d92f38932 --- /dev/null +++ b/manager/manifests/istio/charts/mixer/values.yaml @@ -0,0 +1,88 @@ +# +# mixer configuration +# +image: mixer + +env: + GODEBUG: gctrace=1 + # max procs should be ceil(cpu limit + 1) + GOMAXPROCS: "6" + +policy: + # if policy is enabled, global.disablePolicyChecks has affect. + enabled: false + replicaCount: 1 + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + +telemetry: + enabled: true + replicaCount: 1 + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + sessionAffinityEnabled: false + + # mixer load shedding configuration. + # When mixer detects that it is overloaded, it starts rejecting grpc requests. + loadshedding: + # disabled, logonly or enforce + mode: enforce + # based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async. + latencyThreshold: 100ms + resources: + requests: + cpu: 1000m + memory: 1G + limits: + # It is best to do horizontal scaling of mixer using moderate cpu allocation. + # We have experimentally found that these values work well. + cpu: 4800m + memory: 4G + +podAnnotations: {} +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] + +templates: + useTemplateCRDs: false + +adapters: + kubernetesenv: + enabled: true + + # stdio is a debug adapter in istio-telemetry, it is not recommended for production use. + stdio: + enabled: false + outputAsJson: true + prometheus: + enabled: true + metricsExpiryDuration: 10m + # Setting this to false sets the useAdapterCRDs mixer startup argument to false + useAdapterCRDs: false diff --git a/manager/manifests/istio/charts/nodeagent/Chart.yaml b/manager/manifests/istio/charts/nodeagent/Chart.yaml new file mode 100644 index 0000000000..4334965506 --- /dev/null +++ b/manager/manifests/istio/charts/nodeagent/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: nodeagent +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2" +description: Helm chart for nodeagent deployment +keywords: + - istio + - nodeagent +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/nodeagent/templates/_helpers.tpl b/manager/manifests/istio/charts/nodeagent/templates/_helpers.tpl new file mode 100644 index 0000000000..fda6043d0c --- /dev/null +++ b/manager/manifests/istio/charts/nodeagent/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nodeagent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nodeagent.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nodeagent.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml b/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml new file mode 100644 index 0000000000..9127b05e33 --- /dev/null +++ b/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-nodeagent-{{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] \ No newline at end of file diff --git a/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..963757e72e --- /dev/null +++ b/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-nodeagent-{{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-nodeagent-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-nodeagent-service-account + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml b/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml new file mode 100644 index 0000000000..3c30e7044c --- /dev/null +++ b/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: istio-nodeagent + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: nodeagent +spec: + selector: + matchLabels: + istio: nodeagent + template: + metadata: + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: nodeagent + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-nodeagent-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: nodeagent +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + volumeMounts: + - mountPath: /var/run/sds + name: sdsudspath + env: + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + - name: "Trust_Domain" + value: "{{ .Values.global.trustDomain }}" + volumes: + - name: sdsudspath + hostPath: + path: /var/run/sds + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} + updateStrategy: + type: RollingUpdate \ No newline at end of file diff --git a/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml b/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b52f852d89 --- /dev/null +++ b/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-nodeagent-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "nodeagent.name" . }} + chart: {{ template "nodeagent.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} \ No newline at end of file diff --git a/manager/manifests/istio/charts/nodeagent/values.yaml b/manager/manifests/istio/charts/nodeagent/values.yaml new file mode 100644 index 0000000000..9485731aa0 --- /dev/null +++ b/manager/manifests/istio/charts/nodeagent/values.yaml @@ -0,0 +1,35 @@ +# +# nodeagent configuration +# +enabled: false +image: node-agent-k8s +env: + # name of authentication provider. + CA_PROVIDER: "" + # CA endpoint. + CA_ADDR: "" + # names of authentication provider's plugins. + Plugins: "" +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/pilot/Chart.yaml b/manager/manifests/istio/charts/pilot/Chart.yaml new file mode 100644 index 0000000000..f18710979f --- /dev/null +++ b/manager/manifests/istio/charts/pilot/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: pilot +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2" +description: Helm chart for pilot deployment +keywords: + - istio + - pilot +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/pilot/templates/_helpers.tpl b/manager/manifests/istio/charts/pilot/templates/_helpers.tpl new file mode 100644 index 0000000000..c812c37096 --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "pilot.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "pilot.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "pilot.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/pilot/templates/autoscale.yaml b/manager/manifests/istio/charts/pilot/templates/autoscale.yaml new file mode 100644 index 0000000000..1a9945136a --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/autoscale.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/manager/manifests/istio/charts/pilot/templates/clusterrole.yaml b/manager/manifests/istio/charts/pilot/templates/clusterrole.yaml new file mode 100644 index 0000000000..0435c3ebd0 --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/clusterrole.yaml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-pilot-{{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] diff --git a/manager/manifests/istio/charts/pilot/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/pilot/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ef9281ca80 --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-{{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/pilot/templates/deployment.yaml b/manager/manifests/istio/charts/pilot/templates/deployment.yaml new file mode 100644 index 0000000000..6afc097395 --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/deployment.yaml @@ -0,0 +1,225 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} + # TODO: default template doesn't have this, which one is right ? + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: pilot + annotations: + checksum/config-volume: {{ template "istio.configmap.checksum" . }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- else }} + replicas: 1 +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: pilot + template: + metadata: + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: pilot + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-pilot-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - "discovery" + - --monitoringAddr=:{{ .Values.global.monitoringPort }} +{{- if $.Values.global.logging.level }} + - --log_output_level={{ $.Values.global.logging.level }} +{{- end}} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.global.oneNamespace }} + - "-a" + - {{ .Release.Namespace }} +{{- end }} +{{- if $.Values.global.controlPlaneSecurityEnabled}} + {{- if not .Values.sidecar }} + - --secureGrpcAddr + - ":15011" + {{- end }} +{{- else }} + - --secureGrpcAddr + - "" +{{- end }} +{{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" + ports: + - containerPort: 8080 + - containerPort: 15010 +{{- if not .Values.sidecar }} + - containerPort: 15011 +{{- end }} + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} + - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY + value: "1" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- if .Values.sidecar }} + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 15003 + - containerPort: 15005 + - containerPort: 15007 + - containerPort: 15011 + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - istio-pilot + - --templateFile + - /etc/istio/proxy/envoy_pilot.yaml.tmpl + {{- if $.Values.global.controlPlaneSecurityEnabled}} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + {{- else }} + - --controlPlaneAuthPolicy + - NONE + {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: +{{- if .Values.global.proxy.resources }} +{{ toYaml .Values.global.proxy.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- if $.Values.global.sds.enabled }} + - name: sds-uds-path + mountPath: /var/run/sds + readOnly: true + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + mountPath: /var/run/secrets/tokens + {{- end }} + {{- end }} +{{- end }} + volumes: + {{- if $.Values.global.sds.enabled }} + - hostPath: + path: /var/run/sds + name: sds-uds-path + {{- if $.Values.global.sds.useTrustworthyJwt }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ $.Values.global.trustDomain }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + {{- end }} + - name: config-volume + configMap: + name: istio + - name: istio-certs + secret: + secretName: istio.istio-pilot-service-account + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml b/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml new file mode 100644 index 0000000000..4f3d595706 --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml @@ -0,0 +1,91 @@ +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-ilb-vs-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + hosts: + - istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-ilb-gateway + tcp: + - match: + - port: 15011 + route: + - destination: + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15011 + - match: + - port: 15010 + route: + - destination: + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15010 + - match: + - port: 5353 + route: + - destination: + host: kube-dns.kube-system.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 53 +--- +{{- else }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + hosts: + - istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 15011 + route: + - destination: + host: istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15011 +--- +{{- end }} + +{{- if .Values.global.controlPlaneSecurityEnabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15011 + tls: + mode: DISABLE +--- +{{- end }} +{{- end }} + diff --git a/manager/manifests/istio/charts/pilot/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/pilot/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..fd9e06a717 --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: pilot +spec: +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} +{{- end }} + selector: + matchLabels: + app: {{ template "pilot.name" . }} + release: {{ .Release.Name }} + istio: pilot +{{- end }} diff --git a/manager/manifests/istio/charts/pilot/templates/service.yaml b/manager/manifests/istio/charts/pilot/templates/service.yaml new file mode 100644 index 0000000000..a61d93025e --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: pilot +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: {{ .Values.global.monitoringPort }} + name: http-monitoring + selector: + istio: pilot diff --git a/manager/manifests/istio/charts/pilot/templates/serviceaccount.yaml b/manager/manifests/istio/charts/pilot/templates/serviceaccount.yaml new file mode 100644 index 0000000000..7ec2a66de7 --- /dev/null +++ b/manager/manifests/istio/charts/pilot/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-pilot-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "pilot.name" . }} + chart: {{ template "pilot.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/pilot/values.yaml b/manager/manifests/istio/charts/pilot/values.yaml new file mode 100644 index 0000000000..9f446cd90f --- /dev/null +++ b/manager/manifests/istio/charts/pilot/values.yaml @@ -0,0 +1,50 @@ +# +# pilot configuration +# +enabled: true +autoscaleEnabled: true +autoscaleMin: 1 +autoscaleMax: 5 +# specify replicaCount when autoscaleEnabled: false +# replicaCount: 1 +image: pilot +sidecar: true +traceSampling: 1.0 +# Resources for a small pilot install +resources: + requests: + cpu: 500m + memory: 2048Mi +env: + PILOT_PUSH_THROTTLE: 100 + GODEBUG: gctrace=1 +cpu: + targetAverageUtilization: 80 +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] + +# The following is used to limit how long a sidecar can be connected +# to a pilot. It balances out load across pilot instances at the cost of +# increasing system churn. +keepaliveMaxServerConnectionAge: 30m diff --git a/manager/manifests/istio/charts/prometheus/Chart.yaml b/manager/manifests/istio/charts/prometheus/Chart.yaml new file mode 100644 index 0000000000..3fb2805fc1 --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: prometheus +version: 1.2.2 +appVersion: 2.8.0 +tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/prometheus/templates/_helpers.tpl b/manager/manifests/istio/charts/prometheus/templates/_helpers.tpl new file mode 100644 index 0000000000..039388329b --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/prometheus/templates/clusterrole.yaml b/manager/manifests/istio/charts/prometheus/templates/clusterrole.yaml new file mode 100644 index 0000000000..06fdfaf533 --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/clusterrole.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus-{{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/manager/manifests/istio/charts/prometheus/templates/clusterrolebindings.yaml b/manager/manifests/istio/charts/prometheus/templates/clusterrolebindings.yaml new file mode 100644 index 0000000000..295e0df729 --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/clusterrolebindings.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: prometheus-{{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: prometheus + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/prometheus/templates/configmap.yaml b/manager/manifests/istio/charts/prometheus/templates/configmap.yaml new file mode 100644 index 0000000000..1b26fa5a15 --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/configmap.yaml @@ -0,0 +1,281 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + prometheus.yml: |- + global: + scrape_interval: {{ .Values.scrapeInterval }} + scrape_configs: + + - job_name: 'istio-mesh' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;prometheus + + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'istio-policy' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-policy;http-monitoring + + - job_name: 'istio-telemetry' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;http-monitoring + + - job_name: 'pilot' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-galley;http-monitoring + + - job_name: 'citadel' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-citadel;http-monitoring + + # scrape config for API servers + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - default + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kubernetes;https + + # scrape config for nodes (kubelet) + - job_name: 'kubernetes-nodes' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Scrape config for Kubelet cAdvisor. + # + # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics + # (those whose names begin with 'container_') have been removed from the + # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to + # retrieve those metrics. + # + # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor + # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" + # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with + # the --cadvisor-port=0 Kubelet flag). + # + # This job is not necessary and should be removed in Kubernetes 1.6 and + # earlier versions, or it will cause the metrics to be scraped twice. + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + + # scrape config for service endpoints. + - job_name: 'kubernetes-service-endpoints' + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: keep + regex: ((;.*)|(.*;http)) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: drop + regex: (http) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name \ No newline at end of file diff --git a/manager/manifests/istio/charts/prometheus/templates/deployment.yaml b/manager/manifests/istio/charts/prometheus/templates/deployment.yaml new file mode 100644 index 0000000000..8d89aaf46e --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/deployment.yaml @@ -0,0 +1,80 @@ +# TODO: the original template has service account, roles, etc +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: prometheus + template: + metadata: + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: prometheus +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: prometheus + image: "{{ .Values.hub }}/prometheus:{{ .Values.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - '--storage.tsdb.retention={{ .Values.retention }}' + - '--config.file=/etc/prometheus/prometheus.yml' + ports: + - containerPort: 9090 + name: http + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs + volumes: + - name: config-volume + configMap: + name: prometheus + - name: istio-certs + secret: + defaultMode: 420 +{{- if not .Values.security.enabled }} + optional: true +{{- end }} + secretName: istio.default + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/prometheus/templates/ingress.yaml b/manager/manifests/istio/charts/prometheus/templates/ingress.yaml new file mode 100644 index 0000000000..43be655232 --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: prometheus + servicePort: 9090 + {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} + backend: + serviceName: prometheus + servicePort: 9090 +{{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/prometheus/templates/service.yaml b/manager/manifests/istio/charts/prometheus/templates/service.yaml new file mode 100644 index 0000000000..d92525df07 --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/service.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Service +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + annotations: + prometheus.io/scrape: 'true' + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + app: prometheus + ports: + - name: http-prometheus + protocol: TCP + port: 9090 + +{{- if .Values.service.nodePort.enabled }} +# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs. +--- +apiVersion: v1 +kind: Service +metadata: + name: prometheus-nodeport + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: NodePort + ports: + - port: 9090 + nodePort: {{ .Values.service.nodePort.port }} + name: http-prometheus + selector: + app: prometheus +{{- end }} diff --git a/manager/manifests/istio/charts/prometheus/templates/serviceaccount.yaml b/manager/manifests/istio/charts/prometheus/templates/serviceaccount.yaml new file mode 100644 index 0000000000..7c2fab3f4c --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ template "prometheus.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml b/manager/manifests/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml new file mode 100644 index 0000000000..289a56f51b --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml @@ -0,0 +1,36 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "prometheus.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: prometheus-test + chart: {{ template "prometheus.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: prometheus + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "prometheus.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 2 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 2 }} + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/prometheus/values.yaml b/manager/manifests/istio/charts/prometheus/values.yaml new file mode 100644 index 0000000000..b52fd55662 --- /dev/null +++ b/manager/manifests/istio/charts/prometheus/values.yaml @@ -0,0 +1,59 @@ +# +# addon prometheus configuration +# +enabled: true +replicaCount: 1 +hub: docker.io/prom +tag: v2.8.0 +retention: 6h +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] + +# Controls the frequency of prometheus scraping +scrapeInterval: 15s + +contextPath: /prometheus + +ingress: + enabled: false + ## Used to create an Ingress record. + hosts: + - prometheus.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: prometheus-tls + # hosts: + # - prometheus.local + +service: + annotations: {} + nodePort: + enabled: false + port: 32090 + +security: + enabled: true diff --git a/manager/manifests/istio/charts/security/Chart.yaml b/manager/manifests/istio/charts/security/Chart.yaml new file mode 100644 index 0000000000..f2f4ad59e3 --- /dev/null +++ b/manager/manifests/istio/charts/security/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: security +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2" +description: Helm chart for istio authentication +keywords: + - istio + - security +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/security/templates/_helpers.tpl b/manager/manifests/istio/charts/security/templates/_helpers.tpl new file mode 100644 index 0000000000..7f36f9d510 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "security.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "security.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "security.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/security/templates/cleanup-secrets.yaml b/manager/manifests/istio/charts/security/templates/cleanup-secrets.yaml new file mode 100644 index 0000000000..858c6c5f71 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/cleanup-secrets.yaml @@ -0,0 +1,125 @@ +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. + +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-cleanup-secrets-service-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} +- name: {{ . }} +{{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-{{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-{{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets-{{ .Values.global.tag | printf "%v" | trunc 32 }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/security/templates/clusterrole.yaml b/manager/manifests/istio/charts/security/templates/clusterrole.yaml new file mode 100644 index 0000000000..cdeb0c054e --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/clusterrole.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-citadel-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "update"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts", "services"] + verbs: ["get", "watch", "list"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] diff --git a/manager/manifests/istio/charts/security/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/security/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..0a15799ce9 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-citadel-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/security/templates/configmap.yaml b/manager/manifests/istio/charts/security/templates/configmap.yaml new file mode 100644 index 0000000000..14749fd657 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel +data: + custom-resources.yaml: |- + {{- if .Values.global.mtls.enabled }} + {{- include "security-default.yaml.tpl" . | indent 4}} + {{- else }} + {{- include "security-permissive.yaml.tpl" . | indent 4}} + {{- end }} + run.sh: |- + {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/manager/manifests/istio/charts/security/templates/create-custom-resources-job.yaml b/manager/manifests/istio/charts/security/templates/create-custom-resources-job.yaml new file mode 100644 index 0000000000..8513d79dbb --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/create-custom-resources-job.yaml @@ -0,0 +1,101 @@ +{{- if .Values.createMeshPolicy }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: kubectl + image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" + imagePullPolicy: IfNotPresent + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/security/templates/deployment.yaml b/manager/manifests/istio/charts/security/templates/deployment.yaml new file mode 100644 index 0000000000..5070f3c894 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/deployment.yaml @@ -0,0 +1,108 @@ +# istio CA watching all namespaces +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-citadel + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: citadel + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-citadel-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: citadel +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --append-dns-names=true + - --grpc-port=8060 + - --citadel-storage-namespace={{ .Release.Namespace }} + - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }} + - --monitoring-port={{ .Values.global.monitoringPort }} + {{- if .Values.selfSigned }} + - --self-signed-ca=true + {{- else }} + - --self-signed-ca=false + - --signing-cert=/etc/cacerts/ca-cert.pem + - --signing-key=/etc/cacerts/ca-key.pem + - --root-cert=/etc/cacerts/root-cert.pem + - --cert-chain=/etc/cacerts/cert-chain.pem + {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} + {{- if .Values.workloadCertTtl }} + - --workload-cert-ttl={{ .Values.workloadCertTtl }} + {{- end }} + {{- if .Values.citadelHealthCheck }} + - --liveness-probe-path=/tmp/ca.liveness # path to the liveness health check status file + - --liveness-probe-interval=60s # interval for health check file update + - --probe-check-interval=15s # interval for health status check + {{- end }} + {{- if .Values.citadelHealthCheck }} + livenessProbe: + exec: + command: + - /usr/local/bin/istio_ca + - probe + - --probe-path=/tmp/ca.liveness # path to the liveness health check status file + - --interval=125s # the maximum time gap allowed between the file mtime and the current sys clock + initialDelaySeconds: 60 + periodSeconds: 60 + {{- end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} +{{- if not .Values.selfSigned }} + volumeMounts: + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + volumes: + - name: cacerts + secret: + secretName: cacerts + optional: true +{{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/security/templates/enable-mesh-mtls.yaml b/manager/manifests/istio/charts/security/templates/enable-mesh-mtls.yaml new file mode 100644 index 0000000000..75e4a18e33 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/enable-mesh-mtls.yaml @@ -0,0 +1,63 @@ +{{- define "security-default.yaml.tpl" }} +# These policy and destination rules effectively enable mTLS for all services in the mesh. For now, +# they are added to Istio installation yaml for backward compatible. In future, they should be in +# a separated yaml file so that customer can enable mTLS independent from installation. + +# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + peers: + - mtls: {} +--- +# Corresponding destination rule to configure client side to use mutual TLS when talking to +# any service (host) in the mesh. +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: "default" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: "*.local" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar. +# Customer should add similar destination rules for other services that don't have sidecar. +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: "api-server" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + host: "kubernetes.default.svc.{{ .Values.global.proxy.clusterDomain }}" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: DISABLE +{{- end }} diff --git a/manager/manifests/istio/charts/security/templates/enable-mesh-permissive.yaml b/manager/manifests/istio/charts/security/templates/enable-mesh-permissive.yaml new file mode 100644 index 0000000000..a6931b3b94 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/enable-mesh-permissive.yaml @@ -0,0 +1,16 @@ +{{- define "security-permissive.yaml.tpl" }} +# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + peers: + - mtls: + mode: PERMISSIVE +{{- end }} diff --git a/manager/manifests/istio/charts/security/templates/meshexpansion.yaml b/manager/manifests/istio/charts/security/templates/meshexpansion.yaml new file mode 100644 index 0000000000..581ce964a7 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/meshexpansion.yaml @@ -0,0 +1,56 @@ +{{- if .Values.global.meshExpansion.enabled }} +{{- if .Values.global.meshExpansion.useILB }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-citadel-ilb + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel +spec: + hosts: + - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-ilb-gateway + tcp: + - match: + - port: 8060 + route: + - destination: + host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 8060 +--- +{{- else }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-citadel + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel +spec: + hosts: + - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 8060 + route: + - destination: + host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 8060 +--- +{{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/security/templates/service.yaml b/manager/manifests/istio/charts/security/templates/service.yaml new file mode 100644 index 0000000000..efea17544a --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + # we use the normal name here (e.g. 'prometheus') + # as grafana is configured to use this as a data source + name: istio-citadel + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + targetPort: 8060 + protocol: TCP + - name: http-monitoring + port: {{ .Values.global.monitoringPort }} + selector: + istio: citadel diff --git a/manager/manifests/istio/charts/security/templates/serviceaccount.yaml b/manager/manifests/istio/charts/security/templates/serviceaccount.yaml new file mode 100644 index 0000000000..d07d566fa5 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-citadel-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ template "security.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/security/templates/tests/test-citadel-connection.yaml b/manager/manifests/istio/charts/security/templates/tests/test-citadel-connection.yaml new file mode 100644 index 0000000000..60caeef602 --- /dev/null +++ b/manager/manifests/istio/charts/security/templates/tests/test-citadel-connection.yaml @@ -0,0 +1,36 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "security.fullname" . }}-test + namespace: {{ .Release.Namespace }} + labels: + app: istio-citadel-test + chart: {{ template "security.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ template "security.fullname" . }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && exit 0 || sleep 15; done; exit 1'] + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 2 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 2 }} + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/security/values.yaml b/manager/manifests/istio/charts/security/values.yaml new file mode 100644 index 0000000000..febb43d43a --- /dev/null +++ b/manager/manifests/istio/charts/security/values.yaml @@ -0,0 +1,36 @@ +# +# security configuration +# +enabled: true +replicaCount: 1 +image: citadel +selfSigned: true # indicate if self-signed CA is used. +createMeshPolicy: true +nodeSelector: {} +tolerations: [] +# Enable health checking on the Citadel CSR signing API. +# https://istio.io/docs/tasks/security/health-check/ +citadelHealthCheck: false +# 90*24hour = 2160h +workloadCertTtl: 2160h + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/Chart.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/Chart.yaml new file mode 100644 index 0000000000..ff7bb5699c --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: sidecarInjectorWebhook +version: 1.2.2 +appVersion: 1.2.2 +tillerVersion: ">=2.7.2" +description: Helm chart for sidecar injector webhook deployment +keywords: + - istio + - sidecarInjectorWebhook +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl new file mode 100644 index 0000000000..f3b9fb15b9 --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "sidecar-injector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sidecar-injector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sidecar-injector.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml new file mode 100644 index 0000000000..27f9acb517 --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-{{ .Release.Namespace }} + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: sidecar-injector +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..748a93244c --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: sidecar-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml new file mode 100644 index 0000000000..b9bcd6ca73 --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml @@ -0,0 +1,110 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: sidecar-injector +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + istio: sidecar-injector + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-sidecar-injector-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: sidecar-injector-webhook +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + readOnly: true + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: inject-config + mountPath: /etc/istio/inject + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumes: + - name: config-volume + configMap: + name: istio + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - name: inject-config + configMap: + name: istio-sidecar-injector + items: + - key: config + path: config + - key: values + path: values + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..a30dd38e5c --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -0,0 +1,39 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: +{{- if .Values.enableNamespacesByDefault }} + matchExpressions: + - key: name + operator: NotIn + values: + - {{ .Release.Namespace }} + - key: istio-injection + operator: NotIn + values: + - disabled +{{- else }} + matchLabels: + istio-injection: enabled +{{- end }} + diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..51fb3fc3ee --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "sidecar-injector.name" . }} + release: {{ .Release.Name }} + istio: sidecar-injector +spec: +{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} + selector: + matchLabels: + app: {{ template "sidecar-injector.name" . }} + release: {{ .Release.Name }} + istio: sidecar-injector + {{- end }} \ No newline at end of file diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/service.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/service.yaml new file mode 100644 index 0000000000..a68557a847 --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: sidecar-injector +spec: + ports: + - port: 443 + selector: + istio: sidecar-injector diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml new file mode 100644 index 0000000000..d4020b5170 --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-sidecar-injector-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ template "sidecar-injector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: sidecar-injector diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml new file mode 100644 index 0000000000..eba94679fe --- /dev/null +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml @@ -0,0 +1,42 @@ +# +# sidecar-injector webhook configuration +# +enabled: true +replicaCount: 1 +image: sidecar_injector +enableNamespacesByDefault: false +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] + +# If true, webhook or istioctl injector will rewrite PodSpec for liveness +# health check to redirect request to sidecar. This makes liveness check work +# even when mTLS is enabled. +rewriteAppHTTPProbe: false + +# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or +# always skip the injection on pods that match that label selector, regardless of the global policy. +# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions +neverInjectSelector: [] + +alwaysInjectSelector: [] \ No newline at end of file diff --git a/manager/manifests/istio/charts/tracing/Chart.yaml b/manager/manifests/istio/charts/tracing/Chart.yaml new file mode 100644 index 0000000000..5a20fa1d2c --- /dev/null +++ b/manager/manifests/istio/charts/tracing/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: tracing +version: 1.2.2 +appVersion: 1.5.1 +tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/tracing/templates/_helpers.tpl b/manager/manifests/istio/charts/tracing/templates/_helpers.tpl new file mode 100644 index 0000000000..e246b59b1e --- /dev/null +++ b/manager/manifests/istio/charts/tracing/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "tracing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "tracing.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tracing.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/tracing/templates/deployment-jaeger.yaml b/manager/manifests/istio/charts/tracing/templates/deployment-jaeger.yaml new file mode 100644 index 0000000000..553cd59e23 --- /dev/null +++ b/manager/manifests/istio/charts/tracing/templates/deployment-jaeger.yaml @@ -0,0 +1,92 @@ +{{ if eq .Values.provider "jaeger" }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-tracing + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: jaeger + template: + metadata: + labels: + app: jaeger + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "16686" +{{- if .Values.contextPath }} + prometheus.io/path: "{{ .Values.contextPath }}/metrics" +{{- else }} + prometheus.io/path: "/{{ .Values.provider }}/metrics" +{{- end }} + spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} + containers: + - name: jaeger + image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9411 + - containerPort: 16686 + - containerPort: 5775 + protocol: UDP + - containerPort: 6831 + protocol: UDP + - containerPort: 6832 + protocol: UDP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + - name: QUERY_BASE_PATH + value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + livenessProbe: + httpGet: + path: / + port: 16686 + readinessProbe: + httpGet: + path: / + port: 16686 + resources: +{{- if .Values.jaeger.resources }} +{{ toYaml .Values.jaeger.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} +{{ end }} diff --git a/manager/manifests/istio/charts/tracing/templates/deployment-zipkin.yaml b/manager/manifests/istio/charts/tracing/templates/deployment-zipkin.yaml new file mode 100644 index 0000000000..c3b85f7e5e --- /dev/null +++ b/manager/manifests/istio/charts/tracing/templates/deployment-zipkin.yaml @@ -0,0 +1,82 @@ +{{ if eq .Values.provider "zipkin" }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-tracing + namespace: {{ .Release.Namespace }} + labels: + app: zipkin + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + selector: + matchLabels: + app: zipkin + template: + metadata: + labels: + app: zipkin + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.imagePullSecrets }} + imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} + containers: + - name: zipkin + image: "{{ .Values.zipkin.hub }}/zipkin:{{ .Values.zipkin.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: {{ .Values.zipkin.queryPort }} + livenessProbe: + initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }} + tcpSocket: + port: {{ .Values.zipkin.queryPort }} + readinessProbe: + initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }} + httpGet: + path: /health + port: {{ .Values.zipkin.queryPort }} + resources: +{{- if .Values.zipkin.resources }} +{{ toYaml .Values.zipkin.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: QUERY_PORT + value: "{{ .Values.zipkin.queryPort }}" + - name: JAVA_OPTS + value: "-XX:ConcGCThreads={{ .Values.zipkin.node.cpus }} -XX:ParallelGCThreads={{ .Values.zipkin.node.cpus }} -Djava.util.concurrent.ForkJoinPool.common.parallelism={{ .Values.zipkin.node.cpus }} -Xms{{ .Values.zipkin.javaOptsHeap }}M -Xmx{{ .Values.zipkin.javaOptsHeap }}M -XX:+UseG1GC -server" + - name: STORAGE_METHOD + value: "mem" + - name: ZIPKIN_STORAGE_MEM_MAXSPANS + value: "{{ .Values.zipkin.maxSpans }}" + affinity: + {{- include "nodeaffinity" . | indent 6 }} + {{- include "podAntiAffinity" . | indent 6 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} + {{- end }} +{{ end }} diff --git a/manager/manifests/istio/charts/tracing/templates/ingress.yaml b/manager/manifests/istio/charts/tracing/templates/ingress.yaml new file mode 100644 index 0000000000..72f362166d --- /dev/null +++ b/manager/manifests/istio/charts/tracing/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ template "tracing.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: +{{- if .Values.ingress.hosts }} + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} /{{ $.Values.provider }} {{ end }} + backend: + serviceName: tracing + servicePort: 80 + + {{- end -}} +{{- else }} + - http: + paths: + - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} + backend: + serviceName: tracing + servicePort: 80 +{{- end }} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml b/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml new file mode 100644 index 0000000000..23979baf8d --- /dev/null +++ b/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml @@ -0,0 +1,90 @@ +{{ if eq .Values.provider "jaeger" }} + +apiVersion: v1 +kind: List +metadata: + name: jaeger-services + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +items: +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-query + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: jaeger + jaeger-infra: jaeger-service + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + ports: + - name: query-http + port: 16686 + protocol: TCP + targetPort: 16686 + selector: + app: jaeger +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + jaeger-infra: collector-service + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: 14267 + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + selector: + app: jaeger + type: ClusterIP +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-agent + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + jaeger-infra: agent-service + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: 5775 + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: 6831 + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: 6832 + clusterIP: None + selector: + app: jaeger +{{ end }} + diff --git a/manager/manifests/istio/charts/tracing/templates/service.yaml b/manager/manifests/istio/charts/tracing/templates/service.yaml new file mode 100644 index 0000000000..fe94067b0a --- /dev/null +++ b/manager/manifests/istio/charts/tracing/templates/service.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +kind: List +metadata: + name: tracing-services + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +items: +- apiVersion: v1 + kind: Service + metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: 9411 + protocol: TCP + name: {{ .Values.service.name }} + selector: + app: {{ .Values.provider }} +- apiVersion: v1 + kind: Service + metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: + app: {{ .Values.provider }} + chart: {{ template "tracing.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + spec: + ports: + - name: http-query + port: 80 + protocol: TCP +{{ if eq .Values.provider "jaeger" }} + targetPort: 16686 +{{ else }} + targetPort: 9411 +{{ end}} + selector: + app: {{ .Values.provider }} diff --git a/manager/manifests/istio/charts/tracing/templates/tests/test-tracing-connection.yaml b/manager/manifests/istio/charts/tracing/templates/tests/test-tracing-connection.yaml new file mode 100644 index 0000000000..01b1767902 --- /dev/null +++ b/manager/manifests/istio/charts/tracing/templates/tests/test-tracing-connection.yaml @@ -0,0 +1,40 @@ +{{- if .Values.global.enableHelmTest }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ .Release.Name }}-{{ .Values.provider }}-test + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.provider }}-test + chart: {{ template "tracing.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + sidecar.istio.io/inject: "false" + helm.sh/hook: test-success +spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: "{{ .Values.provider }}-test" + image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + command: ['curl'] + {{- if eq .Values.provider "jaeger" }} + args: ['http://tracing:80{{ .Values.jaeger.contextPath}}'] + {{- else }} + args: ['http://tracing:80'] + {{- end }} + restartPolicy: Never + affinity: + {{- include "nodeaffinity" . | indent 4 }} + {{- include "podAntiAffinity" . | indent 4 }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 2 }} + {{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 2 }} + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/charts/tracing/values.yaml b/manager/manifests/istio/charts/tracing/values.yaml new file mode 100644 index 0000000000..d05b650fcc --- /dev/null +++ b/manager/manifests/istio/charts/tracing/values.yaml @@ -0,0 +1,77 @@ +# +# addon jaeger tracing configuration +# +enabled: false + +provider: jaeger +nodeSelector: {} +tolerations: [] + +# Specify the pod anti-affinity that allows you to constrain which nodes +# your pod is eligible to be scheduled based on labels on pods that are +# already running on the node rather than based on labels on nodes. +# There are currently two types of anti-affinity: +# "requiredDuringSchedulingIgnoredDuringExecution" +# "preferredDuringSchedulingIgnoredDuringExecution" +# which denote “hard” vs. “soft” requirements, you can define your values +# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" +# correspondingly. +# For example: +# podAntiAffinityLabelSelector: +# - key: security +# operator: In +# values: S1,S2 +# topologyKey: "kubernetes.io/hostname" +# This pod anti-affinity rule says that the pod requires not to be scheduled +# onto a node if that node is already running a pod with label having key +# “security” and value “S1”. +podAntiAffinityLabelSelector: [] +podAntiAffinityTermLabelSelector: [] + +jaeger: + hub: docker.io/jaegertracing + tag: 1.9 + memory: + max_traces: 50000 + +zipkin: + hub: docker.io/openzipkin + tag: 2 + probeStartupDelay: 200 + queryPort: 9411 + resources: + limits: + cpu: 300m + memory: 900Mi + requests: + cpu: 150m + memory: 900Mi + javaOptsHeap: 700 + # From: https://github.com/openzipkin/zipkin/blob/master/zipkin-server/src/main/resources/zipkin-server-shared.yml#L51 + # Maximum number of spans to keep in memory. When exceeded, oldest traces (and their spans) will be purged. + # A safe estimate is 1K of memory per span (each span with 2 annotations + 1 binary annotation), plus + # 100 MB for a safety buffer. You'll need to verify in your own environment. + maxSpans: 500000 + node: + cpus: 2 + +service: + annotations: {} + name: http + type: ClusterIP + externalPort: 9411 + +ingress: + enabled: false + # Used to create an Ingress record. + hosts: + # - tracing.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: tracing-tls + # hosts: + # - tracing.local + diff --git a/manager/manifests/istio/example-values/README.md b/manager/manifests/istio/example-values/README.md new file mode 100644 index 0000000000..74fedcb607 --- /dev/null +++ b/manager/manifests/istio/example-values/README.md @@ -0,0 +1,5 @@ +# Example Values + +These files provide various example values for different Istio setups. + +To use them, [read the docs](https://istio.io/docs/setup/kubernetes/helm-install/) and add the flag `--values example-file.yaml`. diff --git a/manager/manifests/istio/example-values/values-istio-example-sds-vault.yaml b/manager/manifests/istio/example-values/values-istio-example-sds-vault.yaml new file mode 100644 index 0000000000..cf097c7f18 --- /dev/null +++ b/manager/manifests/istio/example-values/values-istio-example-sds-vault.yaml @@ -0,0 +1,27 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useNormalJwt: true + +nodeagent: + enabled: true + image: node-agent-k8s + env: + # The IP address and the port number of a publicly accessible example Vault server. + CA_ADDR: "https://34.83.129.211:8200" + CA_PROVIDER: "VaultCA" + VALID_TOKEN: true + # The IP address and the port number of a publicly accessible example Vault server. + VAULT_ADDR: "https://34.83.129.211:8200" + VAULT_AUTH_PATH: "auth/kubernetes/login" + VAULT_ROLE: "istio-cert" + VAULT_SIGN_CSR_PATH: "istio_ca/sign/istio-pki-role" + VAULT_TLS_ROOT_CERT: '-----BEGIN CERTIFICATE-----\nMIIC3jCCAcagAwIBAgIRAO1S7vuRQmo2He+RtBq3fv8wDQYJKoZIhvcNAQELBQAw\nEDEOMAwGA1UEChMFVmF1bHQwIBcNMTkwNDI3MTY1ODE1WhgPMjExOTA0MDMxNjU4\nMTVaMBAxDjAMBgNVBAoTBVZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA7/CTbnENEIvFZg9hmVtYnOx3OfMy/GNCuP7sqtAeVVTopAKKkcAAWQck\nrhpBooEGpCugNxXGNCuJh/2nu0AfGFRfdafwSJRoI6yHwQouDm0o4r3h9uL3tu5N\nD+x9j+eejbFsoZVn84CxGkEB6oyeXYHjc6eWh3PFGMtKuOQD4pezvDH0yNCx5waK\nhtPuYtl0ebfdbyh+WQuptO+Q9VSaQNqE3ipZ461y8PduwRRll241W0gQB2iasX03\nD36F2ZrMz3KEVRVKM1yCUDCy2RPJqkXPdnVMWmDGbe8Uw69zr25JltzuRZFT9HL3\nY1RnMTecmSc4ikTUHcMhFX3PYbfR5wIDAQABozEwLzAOBgNVHQ8BAf8EBAMCBaAw\nDAYDVR0TAQH/BAIwADAPBgNVHREECDAGhwQiU4HTMA0GCSqGSIb3DQEBCwUAA4IB\nAQCdLh6olDVQB71LD6srbfAE4EsxLEBbIRnv7Nf1S0KQwgW/QxK8DHBwJBxJkr1N\nzgEPx86f2Fo2UsY9m6rvgP3+iquyMsKi0ooUah3y3LSnONuZcdfSTl/HYd38S6Dp\nVkVOZ7781xxpFVUqQ5voQX1Y1Ipn5qw0FyIcNYWLkNX+iMf1b9kpEIWQNhRC/Yiv\nTS0VA/BzQemGyf2UB6QsuZLH+JFEZnzU859qURnNIITa1Wf4YUtka5Sp1kDnEll3\nwj4IlXKU+Wl1CzxJyn4SSQAXy/Lb08ZKrF/YSzcIISnRX5j+wa8ApOSwwA/B7iaT\nTWz1g+RlV9qHap70eIjPsQvb\n-----END CERTIFICATE-----' \ No newline at end of file diff --git a/manager/manifests/istio/example-values/values-istio-gateways.yaml b/manager/manifests/istio/example-values/values-istio-gateways.yaml new file mode 100644 index 0000000000..b9930d0a0b --- /dev/null +++ b/manager/manifests/istio/example-values/values-istio-gateways.yaml @@ -0,0 +1,135 @@ +# Common settings. +global: + # Omit the istio-sidecar-injector configmap when generate a + # standalone gateway. Gateways may be created in namespaces other + # than `istio-system` and we don't want to re-create the injector + # configmap in those. + omitSidecarInjectorConfigMap: true + + # Istio control plane namespace: This specifies where the Istio control + # plane was installed earlier. Modify this if you installed the control + # plane in a different namespace than istio-system. + istioNamespace: istio-system + + proxy: + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + +# +# Gateways Configuration +# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. +# You can add more gateways in addition to the defaults but make sure those are uniquely named +# and that NodePorts are not conflicting. +# Disable specific gateway by setting the `enabled` to false. +# +gateways: + enabled: true + + custom-gateway: + enabled: true + labels: + app: custom-gateway + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + #requests: + # cpu: 1800m + # memory: 256Mi + cpu: + targetAverageUtilization: 80 + loadBalancerIP: "" + loadBalancerSourceRanges: {} + externalIPs: [] + serviceAnnotations: {} + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out + ports: + ## You can add custom gateway ports + - port: 80 + targetPort: 80 + name: http2 + # nodePort: 31380 + - port: 443 + name: https + # nodePort: 31390 + - port: 31400 + name: tcp + # nodePort: 31400 + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + # Addon ports for kiali are enabled in gateway - but will only redirect if + # the gateway configuration for the various components are enabled. + - port: 15029 + targetPort: 15029 + name: http2-kiali + # Telemetry-related ports are enabled in gateway - but will only redirect if + # the gateway configuration for the various components are enabled. + - port: 15030 + targetPort: 15030 + name: http2-prometheus + - port: 15031 + targetPort: 15031 + name: http2-grafana + - port: 15032 + targetPort: 15032 + name: http2-tracing + secretVolumes: + - name: customgateway-certs + secretName: istio-customgateway-certs + mountPath: /etc/istio/customgateway-certs + - name: customgateway-ca-certs + secretName: istio-customgateway-ca-certs + mountPath: /etc/istio/customgateway-ca-certs + +# all other components are disabled except the gateways +security: + enabled: false + +sidecarInjectorWebhook: + enabled: false + +galley: + enabled: false + +mixer: + policy: + enabled: false + telemetry: + enabled: false + +pilot: + enabled: false + +grafana: + enabled: false + +prometheus: + enabled: false + +tracing: + enabled: false + +kiali: + enabled: false + +certmanager: + enabled: false diff --git a/manager/manifests/istio/example-values/values-istio-googleca.yaml b/manager/manifests/istio/example-values/values-istio-googleca.yaml new file mode 100644 index 0000000000..e0c633ea1d --- /dev/null +++ b/manager/manifests/istio/example-values/values-istio-googleca.yaml @@ -0,0 +1,22 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useTrustworthyJwt: true + + trustDomain: "" + +nodeagent: + enabled: true + image: node-agent-k8s + env: + CA_PROVIDER: "GoogleCA" + CA_ADDR: "istioca.googleapis.com:443" + Plugins: "GoogleTokenExchange" diff --git a/manager/manifests/istio/example-values/values-istio-multicluster-gateways.yaml b/manager/manifests/istio/example-values/values-istio-multicluster-gateways.yaml new file mode 100644 index 0000000000..3524a3d478 --- /dev/null +++ b/manager/manifests/istio/example-values/values-istio-multicluster-gateways.yaml @@ -0,0 +1,27 @@ +global: + # Provides dns resolution for global services + podDNSSearchNamespaces: + - global + - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + multiCluster: + enabled: true + + controlPlaneSecurityEnabled: true + +# Multicluster with gateways requires a root CA +# Cluster local CAs are bootstrapped with the root CA. +security: + selfSigned: false + +# Provides dns resolution for service entries of form +# name.namespace.global +istiocoredns: + enabled: true + +gateways: + istio-egressgateway: + enabled: true + env: + # Needed to route traffic via egress gateway if desired. + ISTIO_META_REQUESTED_NETWORK_VIEW: "external" diff --git a/manager/manifests/istio/files/injection-template.yaml b/manager/manifests/istio/files/injection-template.yaml new file mode 100644 index 0000000000..2f0f3f069c --- /dev/null +++ b/manager/manifests/istio/files/injection-template.yaml @@ -0,0 +1,348 @@ +rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} +{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }} +initContainers: +{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} +{{- if not .Values.istio_cni.enabled }} +- name: istio-init +{{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" +{{- end }} + args: + - "-p" + - "15001" + - "-u" + - 1337 + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" + - "-d" + - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: 100m + memory: 50Mi + securityContext: + runAsUser: 0 + runAsNonRoot: false + capabilities: + add: + - NET_ADMIN + {{- if .Values.global.proxy.privileged }} + privileged: true + {{- end }} + restartPolicy: Always + env: + {{- if contains "*" (annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` "") }} + - name: INBOUND_CAPTURE_PORT + value: 15006 + {{- end }} +{{- end }} +{{ end -}} +{{- if eq .Values.global.proxy.enableCoreDump true }} +- name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + command: + - /bin/sh +{{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + resources: {} + securityContext: + runAsUser: 0 + runAsNonRoot: false + privileged: true +{{ end }} +{{- end }} +containers: +- name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" +{{- else }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" +{{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --configPath + - "{{ .ProxyConfig.ConfigPath }}" + - --binaryPath + - "{{ .ProxyConfig.BinaryPath }}" + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --drainDuration + - "{{ formatDuration .ProxyConfig.DrainDuration }}" + - --parentShutdownDuration + - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" + - --discoveryAddress + - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" +{{- if eq .Values.global.proxy.tracer "lightstep" }} + - --lightstepAddress + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" + - --lightstepAccessToken + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" + - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} + - --lightstepCacertPath + - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" +{{- else if eq .Values.global.proxy.tracer "zipkin" }} + - --zipkinAddress + - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" +{{- else if eq .Values.global.proxy.tracer "datadog" }} + - --datadogAgentAddress + - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" +{{- end }} +{{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} +{{- end}} +{{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} +{{- end}} + - --dnsRefreshRate + - {{ .Values.global.proxy.dnsRefreshRate }} + - --connectTimeout + - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" +{{- if .Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - "{{ .ProxyConfig.StatsdUdpAddress }}" +{{- end }} +{{- if .Values.global.proxy.envoyMetricsService.enabled }} + - --envoyMetricsServiceAddress + - "{{ .ProxyConfig.EnvoyMetricsServiceAddress }}" +{{- end }} + - --proxyAdminPort + - "{{ .ProxyConfig.ProxyAdminPort }}" + {{ if gt .ProxyConfig.Concurrency 0 -}} + - --concurrency + - "{{ .ProxyConfig.Concurrency }}" + {{ end -}} + - --controlPlaneAuthPolicy + - "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}" +{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} + - --statusPort + - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" + - --applicationPorts + - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" +{{- end }} +{{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} +{{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +{{ if eq .Values.global.proxy.tracer "datadog" }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP +{{ end }} + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + - name: ISTIO_META_INCLUDE_INBOUND_PORTS + value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{ if .ObjectMeta.Labels }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ toJSON .ObjectMeta.Labels }} + {{ end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.sds.customTokenDirectory }} + - name: ISTIO_META_SDS_TOKEN_PATH + value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" + {{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if .Values.global.proxy.privileged }} + privileged: true + {{- end }} + {{- if ne .Values.global.proxy.enableCoreDump true }} + readOnlyRootFilesystem: true + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + {{ else -}} + {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }} + runAsGroup: 1337 + {{- end }} + runAsUser: 1337 + {{- end }} + resources: + {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end}} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{ else -}} +{{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} +{{- end }} + {{ end -}} + volumeMounts: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if .Values.global.sds.enabled }} + - mountPath: /var/run/sds + name: sds-uds-path + readOnly: true + {{- if .Values.global.sds.useTrustworthyJwt }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.sds.customTokenDirectory }} + - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" + name: custom-sds-token + readOnly: true + {{- end }} + {{- else }} + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} +volumes: +{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} +- name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} +{{- end }} +- emptyDir: + medium: Memory + name: istio-envoy +{{- if .Values.global.sds.enabled }} +- name: sds-uds-path + hostPath: + path: /var/run/sds +{{- if .Values.global.sds.customTokenDirectory }} +- name: custom-sds-token + secret: + secretName: sdstokensecret +{{- end }} +{{- if .Values.global.sds.useTrustworthyJwt }} +- name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.trustDomain }} +{{- end }} +{{- else }} +- name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} +- name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} +{{- end }} +{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} +- name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert +{{- end }} +{{- if .Values.global.podDNSSearchNamespaces }} +dnsConfig: + searches: + {{- range .Values.global.podDNSSearchNamespaces }} + - {{ render . }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/manager/manifests/istio/requirements.yaml b/manager/manifests/istio/requirements.yaml new file mode 100644 index 0000000000..939c49bfc7 --- /dev/null +++ b/manager/manifests/istio/requirements.yaml @@ -0,0 +1,40 @@ +dependencies: + - name: sidecarInjectorWebhook + version: 1.2.2 + condition: sidecarInjectorWebhook.enabled + - name: security + version: 1.2.2 + condition: security.enabled + - name: gateways + version: 1.2.2 + condition: gateways.enabled + - name: mixer + version: 1.2.2 + condition: or mixer.policy.enabled mixer.telemetry.enabled + - name: nodeagent + version: 1.2.2 + condition: nodeagent.enabled + - name: pilot + version: 1.2.2 + condition: pilot.enabled + - name: grafana + version: 1.2.2 + condition: grafana.enabled + - name: prometheus + version: 1.2.2 + condition: prometheus.enabled + - name: tracing + version: 1.2.2 + condition: tracing.enabled + - name: galley + version: 1.2.2 + condition: galley.enabled + - name: kiali + version: 1.2.2 + condition: kiali.enabled + - name: istiocoredns + version: 1.2.2 + condition: istiocoredns.enabled + - name: certmanager + version: 1.2.2 + condition: certmanager.enabled diff --git a/manager/manifests/istio/templates/NOTES.txt b/manager/manifests/istio/templates/NOTES.txt new file mode 100644 index 0000000000..d17982c669 --- /dev/null +++ b/manager/manifests/istio/templates/NOTES.txt @@ -0,0 +1,29 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +To get started running application with Istio, execute the following steps: + +{{- if index .Values "sidecarInjectorWebhook" "enabled" }} +1. Label namespace that application object will be deployed to by the following command (take default namespace as an example) + +$ kubectl label namespace default istio-injection=enabled +$ kubectl get namespace -L istio-injection + +2. Deploy your applications + +$ kubectl apply -f .yaml +{{- else }} +1. Download the latest release package to get sidecar injection tool + +$ curl -L https://git.io/getLatestIstio | sh - +$ mv istio-* istio-latest +$ export PATH="$PATH:$PWD/istio-latest/bin" + +2. Deploy your application by manually injecting envoy sidecar with `istioctl kube-inject` + +$ kubectl apply -f <(istioctl kube-inject -f .yaml) +{{- end }} + +For more information on running Istio, visit: +https://istio.io/ \ No newline at end of file diff --git a/manager/manifests/istio/templates/_affinity.tpl b/manager/manifests/istio/templates/_affinity.tpl new file mode 100644 index 0000000000..333eb9a25d --- /dev/null +++ b/manager/manifests/istio/templates/_affinity.tpl @@ -0,0 +1,93 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "nodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .Values.podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if or .Values.podAntiAffinityTermLabelSelector}} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/templates/_helpers.tpl b/manager/manifests/istio/templates/_helpers.tpl new file mode 100644 index 0000000000..f79bea4157 --- /dev/null +++ b/manager/manifests/istio/templates/_helpers.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified configmap name. +*/}} +{{- define "istio.configmap.fullname" -}} +{{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Configmap checksum. +*/}} +{{- define "istio.configmap.checksum" -}} +{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}} +{{- end -}} diff --git a/manager/manifests/istio/templates/_podDisruptionBudget.tpl b/manager/manifests/istio/templates/_podDisruptionBudget.tpl new file mode 100644 index 0000000000..ebb86068cc --- /dev/null +++ b/manager/manifests/istio/templates/_podDisruptionBudget.tpl @@ -0,0 +1,3 @@ +{{- define "podDisruptionBudget.spec" }} + minAvailable: 1 +{{- end }} diff --git a/manager/manifests/istio/templates/clusterrole.yaml b/manager/manifests/istio/templates/clusterrole.yaml new file mode 100644 index 0000000000..b92c9ef8b4 --- /dev/null +++ b/manager/manifests/istio/templates/clusterrole.yaml @@ -0,0 +1,11 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] diff --git a/manager/manifests/istio/templates/clusterrolebinding.yaml b/manager/manifests/istio/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..827601b3dd --- /dev/null +++ b/manager/manifests/istio/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/templates/configmap.yaml b/manager/manifests/istio/templates/configmap.yaml new file mode 100644 index 0000000000..02591ec805 --- /dev/null +++ b/manager/manifests/istio/templates/configmap.yaml @@ -0,0 +1,273 @@ +{{- if or .Values.pilot.enabled .Values.global.istioRemote }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istio.name" . }} + chart: {{ template "istio.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + mesh: |- + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + {{- if .Values.mixer.policy.enabled }} + disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} + {{- else }} + disablePolicyChecks: true + {{- end }} + + # Set enableTracing to false to disable request tracing. + enableTracing: {{ .Values.global.enableTracing }} + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" + + # If accessLogEncoding is TEXT, value will be used directly as the log format + # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" + # If AccessLogEncoding is JSON, value will be parsed as map[string]string + # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' + # Leave empty to use default log format + accessLogFormat: {{ .Values.global.proxy.accessLogFormat | quote }} + + # Set accessLogEncoding to JSON or TEXT to configure sidecar access log + accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}' + + {{- if .Values.global.istioRemote }} + + {{- if .Values.global.remotePolicyAddress }} + {{- if .Values.global.createRemoteSvcEndpoints }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 + {{- else }} + mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004 + {{- end }} + {{- end }} + {{- if .Values.global.remoteTelemetryAddress }} + {{- if .Values.global.createRemoteSvcEndpoints }} + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}:15004 + {{- else }} + mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 + {{- end }} + {{- end }} + + {{- else }} + + {{- if .Values.mixer.policy.enabled }} + {{- if .Values.global.controlPlaneSecurityEnabled }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 + {{- else }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 + {{- end }} + {{- end }} + {{- if .Values.mixer.telemetry.enabled }} + {{- if .Values.global.controlPlaneSecurityEnabled }} + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 + {{- else }} + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 + {{- end }} + {{- end }} + + {{- end }} + + {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} + {{- end }} + + {{- if .Values.gateways.enabled }} + # Let Pilot give ingresses the public IP of the Istio ingressgateway + ingressService: istio-ingressgateway + {{- end }} + + # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS + connectTimeout: 10s + + # DNS refresh rate for Envoy clusters of type STRICT_DNS + dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }} + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: {{ .Values.global.sds.udsPath }} + + # This flag is used by secret discovery service(SDS). + # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which + # will be used to generate key/cert eventually. This isn't supported for non-k8s case. + enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }} + + # This flag is used by secret discovery service(SDS). + # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + # and pass to sds server, which will be used to request key/cert eventually. + # this flag is ignored if enableSdsTokenMount is set. + # This isn't supported for non-k8s case. + sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }} + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: {{ .Values.global.trustDomain }} + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + outboundTrafficPolicy: + mode: {{ .Values.global.outboundTrafficPolicy.mode }} + + localityLbSetting: +{{ toYaml .Values.global.localityLbSetting | indent 6 }} + + # The namespace to treat as the administrative root namespace for istio + # configuration. + {{- if .Values.global.configRootNamespace }} + rootNamespace: {{ .Values.global.configRootNamespace }} + {{- else }} + rootNamespace: {{ .Release.Namespace }} + {{- end }} + + {{- if .Values.global.defaultConfigVisibilitySettings }} + defaultServiceExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + defaultVirtualServiceExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + defaultDestinationRuleExportTo: + {{- range .Values.global.defaultConfigVisibilitySettings }} + - {{ . | quote }} + {{- end }} + {{- end }} + + {{- if $.Values.global.useMCP }} + configSources: + - address: istio-galley.{{ $.Release.Namespace }}.svc:9901 + {{- if $.Values.global.controlPlaneSecurityEnabled}} + tlsSettings: + mode: ISTIO_MUTUAL + {{- end }} + {{- end }} + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters + # defined in Envoy's configuration file + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: {{ .Values.global.proxy.concurrency }} + # + {{- if eq .Values.global.proxy.tracer "lightstep" }} + tracing: + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + # Whether communication with the Satellite pool should be secure + secure: {{ .Values.global.tracer.lightstep.secure }} + # Path to the file containing the cacert to use when verifying TLS + cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + tracing: + zipkin: + # Address of the Zipkin collector + {{- if .Values.global.tracer.zipkin.address }} + address: {{ .Values.global.tracer.zipkin.address }} + {{- else if .Values.global.remoteZipkinAddress }} + address: {{ .Values.global.remoteZipkinAddress }}:9411 + {{- else }} + address: zipkin.{{ .Release.Namespace }}:9411 + {{- end }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + tracing: + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address }} + {{- end }} + + {{- if .Values.global.proxy.envoyStatsd.enabled }} + # + # Statsd metrics collector converts statsd metrics into Prometheus metrics. + statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} + {{- end }} + + {{- if .Values.global.proxy.envoyMetricsService.enabled }} + # + # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API. + envoyMetricsServiceAddress: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }} + {{- end}} + + {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }} + {{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }} + {{- if .Values.global.controlPlaneSecurityEnabled }} + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + discoveryAddress: {{ $defPilotHostname }}:15011 + {{- else }} + discoveryAddress: {{ $pilotAddress }}:15011 + {{- end }} + {{- else }} + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: NONE + # + # Address where istio Pilot service is running + {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} + discoveryAddress: {{ $defPilotHostname }}:15010 + {{- else }} + discoveryAddress: {{ $pilotAddress }}:15010 + {{- end }} + {{- end }} + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | indent 6 }} + {{- else }} + networks: {} + {{- end }} +{{- end }} diff --git a/manager/manifests/istio/templates/endpoints.yaml b/manager/manifests/istio/templates/endpoints.yaml new file mode 100644 index 0000000000..81b8218536 --- /dev/null +++ b/manager/manifests/istio/templates/endpoints.yaml @@ -0,0 +1,63 @@ +{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15003 + name: http-old-discovery # mTLS or non-mTLS depending on auth setting + - port: 15005 + name: https-discovery # always mTLS + - port: 15007 + name: http-discovery # always plain-text + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS or non-mTLS depending on auth setting + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring +{{- end }} +{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-policy + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePolicyAddress }} + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 +{{- end }} +{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-telemetry + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remoteTelemetryAddress }} + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 +{{- end }} diff --git a/manager/manifests/istio/templates/install-custom-resources.sh.tpl b/manager/manifests/istio/templates/install-custom-resources.sh.tpl new file mode 100644 index 0000000000..a5525a1391 --- /dev/null +++ b/manager/manifests/istio/templates/install-custom-resources.sh.tpl @@ -0,0 +1,32 @@ +{{ define "install-custom-resources.sh.tpl" }} +#!/bin/sh + +set -x + +if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 +fi + +pathToResourceYAML=${1} + +kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null +if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" +fi +sleep 5 +kubectl apply -f ${pathToResourceYAML} +{{ end }} diff --git a/manager/manifests/istio/templates/service.yaml b/manager/manifests/istio/templates/service.yaml new file mode 100644 index 0000000000..732cdefd20 --- /dev/null +++ b/manager/manifests/istio/templates/service.yaml @@ -0,0 +1,60 @@ +{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15003 + name: http-old-discovery # mTLS or non-mTLS depending on auth setting + - port: 15005 + name: https-discovery # always mTLS + - port: 15007 + name: http-discovery # always plain-text + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS or non-mTLS depending on auth setting + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring + clusterIP: None +{{- end }} +{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-policy + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + clusterIP: None +{{- end }} +{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-telemetry + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 + clusterIP: None +{{- end }} diff --git a/manager/manifests/istio/templates/serviceaccount.yaml b/manager/manifests/istio/templates/serviceaccount.yaml new file mode 100644 index 0000000000..e52d9eb9c3 --- /dev/null +++ b/manager/manifests/istio/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/templates/sidecar-injector-configmap.yaml b/manager/manifests/istio/templates/sidecar-injector-configmap.yaml new file mode 100644 index 0000000000..5493b05d58 --- /dev/null +++ b/manager/manifests/istio/templates/sidecar-injector-configmap.yaml @@ -0,0 +1,25 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istio.name" . }} + chart: {{ template "istio.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + istio: sidecar-injector +data: + values: |- + {{ .Values | toJson }} + + config: |- + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | indent 6 }} + template: |- +{{ .Files.Get "files/injection-template.yaml" | indent 6 }} +{{- end }} diff --git a/manager/manifests/istio/values-istio-demo-auth.yaml b/manager/manifests/istio/values-istio-demo-auth.yaml new file mode 100644 index 0000000000..931a8d9954 --- /dev/null +++ b/manager/manifests/istio/values-istio-demo-auth.yaml @@ -0,0 +1,82 @@ +# This is used to generate minimal demo mode. It is included from demo and demo-auth values. +# It is shipped with the release, used for bookinfo or quick installation of istio. +# Includes components used in the demo, defaults to alpha3 rules. +# Note: please only put common configuration for the demo profiles here. +global: + proxy: + accessLogFile: "/dev/stdout" + resources: + requests: + cpu: 10m + memory: 40Mi + + disablePolicyChecks: false + +sidecarInjectorWebhook: + enabled: true + # If true, webhook or istioctl injector will rewrite PodSpec for liveness + # health check to redirect request to sidecar. This makes liveness check work + # even when mTLS is enabled. + rewriteAppHTTPProbe: false + +pilot: + traceSampling: 100.0 + resources: + requests: + cpu: 10m + memory: 100Mi + +mixer: + policy: + enabled: true + resources: + requests: + cpu: 10m + memory: 100Mi + + telemetry: + enabled: true + resources: + requests: + cpu: 50m + memory: 100Mi + + adapters: + stdio: + enabled: true + +grafana: + enabled: true + +tracing: + enabled: true + +kiali: + enabled: true + createDemoSecret: true + +gateways: + istio-ingressgateway: + resources: + requests: + cpu: 10m + memory: 40Mi + + istio-egressgateway: + enabled: true + resources: + requests: + cpu: 10m + memory: 40Mi +# This is used to generate istio-auth.yaml for minimal, demo mode with MTLS enabled. +# It is shipped with the release, used for bookinfo or quick installation of istio. +# Includes components used in the demo, defaults to alpha3 rules. + +# @include +global: + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true diff --git a/manager/manifests/istio/values-istio-demo.yaml b/manager/manifests/istio/values-istio-demo.yaml new file mode 100644 index 0000000000..9af8346093 --- /dev/null +++ b/manager/manifests/istio/values-istio-demo.yaml @@ -0,0 +1,83 @@ +# This is used to generate minimal demo mode. It is included from demo and demo-auth values. +# It is shipped with the release, used for bookinfo or quick installation of istio. +# Includes components used in the demo, defaults to alpha3 rules. +# Note: please only put common configuration for the demo profiles here. +global: + proxy: + accessLogFile: "/dev/stdout" + resources: + requests: + cpu: 10m + memory: 40Mi + + disablePolicyChecks: false + +sidecarInjectorWebhook: + enabled: true + # If true, webhook or istioctl injector will rewrite PodSpec for liveness + # health check to redirect request to sidecar. This makes liveness check work + # even when mTLS is enabled. + rewriteAppHTTPProbe: false + +pilot: + traceSampling: 100.0 + resources: + requests: + cpu: 10m + memory: 100Mi + +mixer: + policy: + enabled: true + resources: + requests: + cpu: 10m + memory: 100Mi + + telemetry: + enabled: true + resources: + requests: + cpu: 50m + memory: 100Mi + + adapters: + stdio: + enabled: true + +grafana: + enabled: true + +tracing: + enabled: true + +kiali: + enabled: true + createDemoSecret: true + +gateways: + istio-ingressgateway: + resources: + requests: + cpu: 10m + memory: 40Mi + + istio-egressgateway: + enabled: true + resources: + requests: + cpu: 10m + memory: 40Mi +# This is used to generate istio.yaml for minimal, demo mode. +# It is shipped with the release, used for bookinfo or quick installation of istio. +# Includes components used in the demo, defaults to alpha3 rules. + +# @include +# +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false diff --git a/manager/manifests/istio/values-istio-minimal.yaml b/manager/manifests/istio/values-istio-minimal.yaml new file mode 100644 index 0000000000..eb92536e80 --- /dev/null +++ b/manager/manifests/istio/values-istio-minimal.yaml @@ -0,0 +1,46 @@ +# +# Minimal Istio Configuration: https://istio.io/docs/setup/kubernetes/minimal-install/ +# +pilot: + enabled: true + sidecar: false + +gateways: + enabled: false + +security: + enabled: false + +sidecarInjectorWebhook: + enabled: false + +galley: + enabled: false + +mixer: + policy: + enabled: false + telemetry: + enabled: false + +prometheus: + enabled: false + + +# Common settings. +global: + + proxy: + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + useMCP: false + + diff --git a/manager/manifests/istio/values-istio-remote.yaml b/manager/manifests/istio/values-istio-remote.yaml new file mode 100644 index 0000000000..20fe2ac3dd --- /dev/null +++ b/manager/manifests/istio/values-istio-remote.yaml @@ -0,0 +1,34 @@ +gateways: + enabled: false + +galley: + enabled: false + +mixer: + policy: + enabled: false + telemetry: + enabled: false + +pilot: + enabled: false + +security: + enabled: true + createMeshPolicy: false + +prometheus: + enabled: false + +global: + istioRemote: true + + enableTracing: false + + # Sets an identifier for the remote network to be used for Split Horizon EDS. The network will be sent + # to the Pilot when connected by the sidecar and will affect the results returned in EDS requests. + # Based on the network identifier Pilot will return all local endpoints + endpoints of gateways to + # other networks. + # + # Must match the names in the meshNetworks section in the Istio local. + network: "" diff --git a/manager/manifests/istio/values-istio-sds-auth.yaml b/manager/manifests/istio/values-istio-sds-auth.yaml new file mode 100644 index 0000000000..a741bfdcfc --- /dev/null +++ b/manager/manifests/istio/values-istio-sds-auth.yaml @@ -0,0 +1,20 @@ +global: + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + sds: + enabled: true + udsPath: "unix:/var/run/sds/uds_path" + useNormalJwt: true + +nodeagent: + enabled: true + image: node-agent-k8s + env: + CA_PROVIDER: "Citadel" + CA_ADDR: "istio-citadel:8060" + VALID_TOKEN: true \ No newline at end of file diff --git a/manager/manifests/istio/values.yaml b/manager/manifests/istio/values.yaml new file mode 100644 index 0000000000..ac078352f4 --- /dev/null +++ b/manager/manifests/istio/values.yaml @@ -0,0 +1,492 @@ +# Top level istio values file has the following sections. +# +# global: This file is the authoritative and exhaustive source for the global section. +# +# chart sections: Every subdirectory inside the charts/ directory has a top level +# configuration key in this file. This file overrides the values specified +# by the charts/${chartname}/values.yaml. +# Check the chart level values file for exhaustive list of configuration options. + +# +# Gateways Configuration, refer to the charts/gateways/values.yaml +# for detailed configuration +# +gateways: + enabled: true + +# +# sidecar-injector webhook configuration, refer to the +# charts/sidecarInjectorWebhook/values.yaml for detailed configuration +# +sidecarInjectorWebhook: + enabled: true + +# +# galley configuration, refer to charts/galley/values.yaml +# for detailed configuration +# +galley: + enabled: true + +# +# mixer configuration +# +# @see charts/mixer/values.yaml, it takes precedence +mixer: + policy: + # if policy is enabled the global.disablePolicyChecks has affect. + enabled: true + + telemetry: + enabled: true +# +# pilot configuration +# +# @see charts/pilot/values.yaml +pilot: + enabled: true + +# +# security configuration +# +security: + enabled: true + +# +# nodeagent configuration +# +nodeagent: + enabled: false + +# +# addon grafana configuration +# +grafana: + enabled: false + +# +# addon prometheus configuration +# +prometheus: + enabled: true + +# +# addon jaeger tracing configuration +# +tracing: + enabled: false + +# +# addon kiali tracing configuration +# +kiali: + enabled: false + +# +# addon certmanager configuration +# +certmanager: + enabled: false + +# +# Istio CNI plugin enabled +# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately. +# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect +# settings for the istio-proxy. +# +istio_cni: + enabled: false + +# addon Istio CoreDNS configuration +# +istiocoredns: + enabled: false + +# Common settings used among istio subcharts. +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.2.2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # monitoring port used by mixer, pilot, galley + monitoringPort: 15014 + + k8sIngress: + enabled: false + # Gateway used for k8s Ingress resources. By default it is + # using 'istio:ingressgateway' that will be installed by setting + # 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' + # flags to true. + gatewayName: ingressgateway + # enableHttps will add port 443 on the ingress. + # It REQUIRES that the certificates are installed in the + # expected secrets - enabling this option without certificates + # will result in LDS rejection and the ingress will not work. + enableHttps: false + + proxy: + image: proxyv2 + + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Controls number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + + # Configures the access log for each sidecar. + # Options: + # "" - disables access log + # "/dev/stdout" - enables access log + accessLogFile: "" + + # Configure how and what fields are displayed in sidecar access log. Setting to + # empty string will result in default log format + accessLogFormat: "" + + # Configure the access log for sidecar to JSON or TEXT. + accessLogEncoding: TEXT + + # Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: "" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. + componentLogLevel: "" + + # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS + # This must be given it terms of seconds. For example, 300s is valid but 5m is invalid. + dnsRefreshRate: 300s + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # istio egress capture whitelist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + + # pod internal interfaces + kubevirtInterfaces: "" + + # istio ingress capture whitelist + # examples: + # Redirect no inbound traffic to Envoy: --includeInboundPorts="" + # Redirect all inbound traffic to Envoy: --includeInboundPorts="*" + # Redirect only selected ports: --includeInboundPorts="80,8080" + includeInboundPorts: "*" + excludeInboundPorts: "" + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc.istio-system + port: # example: 9125 + + # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector + # via the Metrics Service gRPC API. This contains detailed stats information emitted directly + # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also + # available to scrape via the Envoy admin port at either /stats or /stats/prometheus. + # + # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto + # for details about Envoy's Metrics Service API. + # + # Disabled by default. + envoyMetricsService: + enabled: false + host: # example: metrics-service.istio-system + port: # example: 15000 + + # Specify which tracer to use. One of: lightstep, zipkin, datadog + tracer: "zipkin" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxy_init + + # imagePullPolicy is applied to istio control plane components. + # local tests require IfNotPresent, to avoid uploading to dockerhub. + # TODO: Switch to Always as default, and override in the local tests. + imagePullPolicy: IfNotPresent + + # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + # disablePolicyChecks disables mixer policy checks. + # if mixer.policy.enabled==true then disablePolicyChecks has affect. + # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. + disablePolicyChecks: true + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + + # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. + enableTracing: true + + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # secure: specifies whether data should be sent with TLS + # cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is + # required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination + # namespace with the key matching the base of the provided cacertPath and the value being the cacert itself. + # + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + secure: true # example: true|false + cacertPath: "" # example: /etc/lightstep/cacert.pem + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + + # Default mtls policy. If true, mtls between services will be enabled by default. + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: + # - private-registry-key + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Whether to perform server-side validation of configuration. + configValidation: true + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global" + + # If set to true, the pilot and citadel mtls will be exposed on the + # ingress gateway + meshExpansion: + enabled: false + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + useILB: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # enable pod distruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Use the Mesh Control Protocol (MCP) for configuring Mixer and + # Pilot. Requires galley (`--set galley.enabled=true`). + useMCP: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + # Indicate the domain used in SPIFFE identity URL + # The default depends on the environment. + # kubernetes: cluster.local + # else: default dns domain + trustDomain: "" + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests + # to services outside of the mesh without any ServiceEntry. + # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY. + outboundTrafficPolicy: + mode: ALLOW_ANY + + # The namespace where globally shared configurations should be present. + # DestinationRules that apply to the entire mesh (e.g., enabling mTLS), + # default Sidecar configs, etc. should be added to this namespace. + # configRootNamespace: istio-config + + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + #defaultConfigVisibilitySettings: + #- '*' + + sds: + # SDS enabled. IF set to true, mTLS certificates for the sidecars will be + # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. + enabled: false + udsPath: "" + useTrustworthyJwt: false + useNormalJwt: false + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Specifies the global locality load balancing settings. + # Locality-weighted load balancing allows administrators to control the distribution of traffic to + # endpoints based on the localities of where the traffic originates and where it will terminate. + # Please set either failover or distribute configuration but not both. + # + # localityLbSetting: + # distribute: + # - from: "us-central1/*" + # to: + # "us-central1/*": 80 + # "us-central2/*": 20 + # + # localityLbSetting: + # failover: + # - from: us-east + # to: eu-west + # - from: us-west + # to: us-east + localityLbSetting: {} + + # Specifies whether helm test is enabled or not. + # This field is set to false by default, so 'helm template ...' + # will ignore the helm test yaml files when generating the template + enableHelmTest: false diff --git a/manager/manifests/nginx.yaml b/manager/manifests/nginx.yaml deleted file mode 100644 index c554bc4652..0000000000 --- a/manager/manifests/nginx.yaml +++ /dev/null @@ -1,418 +0,0 @@ -# Copyright 2019 Cortex Labs, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx - namespace: $CORTEX_NAMESPACE ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: nginx - namespace: $CORTEX_NAMESPACE -rules: - - apiGroups: [""] - resources: [endpoints, pods, secrets] - verbs: [list, watch] - - apiGroups: [""] - resources: [nodes, services, ingresses] - verbs: [get, list, watch] - - apiGroups: [""] - resources: [events] - verbs: [create, patch] - - apiGroups: ["extensions"] - resources: [ingresses] - verbs: [get, list, watch] - - apiGroups: ["extensions"] - resources: [ingresses/status] - verbs: [update] - - apiGroups: [""] - resources: [pods, secrets, namespaces, endpoints] - verbs: [get] - - apiGroups: [""] - resources: [configmaps] - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - "ingress-controller-leader-operator" - - "ingress-controller-leader-apis" - verbs: [get, update] - - apiGroups: [""] - resources: [configmaps] - verbs: [get, list, watch, create] ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: nginx - namespace: $CORTEX_NAMESPACE -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx -subjects: - - kind: ServiceAccount - name: nginx - namespace: $CORTEX_NAMESPACE ---- - -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-configuration - namespace: $CORTEX_NAMESPACE -data: - use-proxy-protocol: "true" ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-backend-operator - labels: - app.kubernetes.io/name: nginx-backend-operator - app.kubernetes.io/part-of: ingress-nginx - namespace: $CORTEX_NAMESPACE -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-backend-operator - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: nginx-backend-operator - app.kubernetes.io/part-of: ingress-nginx - spec: - terminationGracePeriodSeconds: 60 - containers: - - name: nginx-backend-operator - # Any image is permissible as long as: - # 1. It serves a 404 page at / - # 2. It serves 200 on a /healthz endpoint - image: $CORTEX_IMAGE_NGINX_BACKEND - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 5 - ports: - - containerPort: 8080 - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi ---- - -apiVersion: v1 -kind: Service -metadata: - name: nginx-backend-operator - namespace: $CORTEX_NAMESPACE - labels: - app.kubernetes.io/name: nginx-backend-operator - app.kubernetes.io/part-of: ingress-nginx -spec: - ports: - - port: 80 - targetPort: 8080 - selector: - app.kubernetes.io/name: nginx-backend-operator - app.kubernetes.io/part-of: ingress-nginx ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-controller-operator - namespace: $CORTEX_NAMESPACE - labels: - app.kubernetes.io/name: nginx-controller-operator - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-controller-operator - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: nginx-controller-operator - app.kubernetes.io/part-of: ingress-nginx - spec: - serviceAccountName: nginx - containers: - - name: nginx-controller - image: $CORTEX_IMAGE_NGINX_CONTROLLER - imagePullPolicy: Always - args: - - /nginx-ingress-controller - - --watch-namespace=$CORTEX_NAMESPACE - - --default-backend-service=$CORTEX_NAMESPACE/nginx-backend-operator - - --configmap=$CORTEX_NAMESPACE/nginx-configuration - - --publish-service=$CORTEX_NAMESPACE/nginx-controller-operator - - --annotations-prefix=nginx.ingress.kubernetes.io - - --ingress-class=operator - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 ---- - -kind: Service -apiVersion: v1 -metadata: - name: nginx-controller-operator - namespace: $CORTEX_NAMESPACE - labels: - app.kubernetes.io/name: nginx-controller-operator - app.kubernetes.io/part-of: ingress-nginx - annotations: - # Enable PROXY protocol - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' - # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, - # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be - # increased to '3600' to avoid any potential issues. - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60' -spec: - type: LoadBalancer - selector: - app.kubernetes.io/name: nginx-controller-operator - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - targetPort: http - - name: https - port: 443 - targetPort: https ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-backend-apis - labels: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx - namespace: $CORTEX_NAMESPACE -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx - spec: - terminationGracePeriodSeconds: 60 - containers: - - name: nginx-backend-apis - # Any image is permissible as long as: - # 1. It serves a 404 page at / - # 2. It serves 200 on a /healthz endpoint - image: $CORTEX_IMAGE_NGINX_BACKEND - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 5 - ports: - - containerPort: 8080 - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi ---- - -apiVersion: v1 -kind: Service -metadata: - name: nginx-backend-apis - namespace: $CORTEX_NAMESPACE - labels: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx -spec: - ports: - - port: 80 - targetPort: 8080 - selector: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-controller-apis - namespace: $CORTEX_NAMESPACE - labels: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx - spec: - serviceAccountName: nginx - containers: - - name: nginx-controller - image: $CORTEX_IMAGE_NGINX_CONTROLLER - imagePullPolicy: Always - args: - - /nginx-ingress-controller - - --watch-namespace=$CORTEX_NAMESPACE - - --default-backend-service=$CORTEX_NAMESPACE/nginx-backend-apis - - --configmap=$CORTEX_NAMESPACE/nginx-configuration - - --publish-service=$CORTEX_NAMESPACE/nginx-backend-apis - - --annotations-prefix=nginx.ingress.kubernetes.io - - --ingress-class=apis - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 ---- - -kind: Service -apiVersion: v1 -metadata: - name: nginx-controller-apis - namespace: $CORTEX_NAMESPACE - labels: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx - annotations: - # Enable PROXY protocol - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' - # Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, - # NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be - # increased to '3600' to avoid any potential issues. - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60' -spec: - type: LoadBalancer - selector: - app.kubernetes.io/name: nginx-backend-apis - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - targetPort: http - - name: https - port: 443 - targetPort: https diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 16669dd2b1..7140398101 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -20,10 +20,9 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: name: operator - namespace: $CORTEX_NAMESPACE subjects: - kind: ServiceAccount name: operator @@ -32,6 +31,7 @@ roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io + --- apiVersion: apps/v1 @@ -41,21 +41,31 @@ metadata: namespace: $CORTEX_NAMESPACE labels: workloadType: operator + workloadId: operator + app: operator + version: v1 spec: replicas: 1 selector: matchLabels: workloadId: operator + app: operator + version: v1 template: metadata: labels: + app: operator + version: v1 workloadId: operator workloadType: operator spec: + serviceAccountName: operator containers: - name: operator image: $CORTEX_IMAGE_OPERATOR imagePullPolicy: Always + ports: + - containerPort: 8888 env: - name: AWS_ACCESS_KEY_ID valueFrom: @@ -74,38 +84,63 @@ spec: - name: cortex-config configMap: name: cortex-config - serviceAccountName: operator --- -kind: Service apiVersion: v1 +kind: Service metadata: - name: operator namespace: $CORTEX_NAMESPACE + name: operator labels: + workloadId: operator workloadType: operator + app: operator + service: operator spec: - selector: - workloadId: operator ports: - port: 8888 - targetPort: 8888 + name: http + selector: + app: operator + workloadId: operator + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: operator-gateway + namespace: $CORTEX_NAMESPACE +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + + --- -apiVersion: extensions/v1beta1 -kind: Ingress +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService metadata: name: operator namespace: $CORTEX_NAMESPACE - labels: - workloadType: operator - annotations: - kubernetes.io/ingress.class: operator spec: - rules: - - http: - paths: - - path: / - backend: - serviceName: operator - servicePort: 8888 + hosts: + - "*" + gateways: + - operator-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: operator + port: + number: 8888 diff --git a/manager/uninstall_cortex.sh b/manager/uninstall_cortex.sh index 720cb22ff0..f281459afc 100755 --- a/manager/uninstall_cortex.sh +++ b/manager/uninstall_cortex.sh @@ -32,5 +32,6 @@ kubectl delete --ignore-not-found=true customresourcedefinition scheduledsparkap kubectl delete --ignore-not-found=true customresourcedefinition sparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 kubectl delete --ignore-not-found=true customresourcedefinition workflows.argoproj.io >/dev/null 2>&1 kubectl delete --ignore-not-found=true namespace $CORTEX_NAMESPACE >/dev/null 2>&1 +kubectl delete --ignore-not-found=true namespace istio-system >/dev/null 2>&1 echo "✓ Uninstalled Cortex" diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index ad9102c2b8..c1d749e9f1 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -46,15 +46,16 @@ var ( ) type Client struct { - RestConfig *rest.Config - clientset *kubernetes.Clientset - podClient tcorev1.PodInterface - serviceClient tcorev1.ServiceInterface - deploymentClient tappsv1b1.DeploymentInterface - jobClient tbatchv1.JobInterface - ingressClient textensionsv1b1.IngressInterface - hpaClient tautoscaling.HorizontalPodAutoscalerInterface - Namespace string + RestConfig *rest.Config + clientset *kubernetes.Clientset + podClient tcorev1.PodInterface + serviceClient tcorev1.ServiceInterface + istioServiceClient tcorev1.ServiceInterface + deploymentClient tappsv1b1.DeploymentInterface + jobClient tbatchv1.JobInterface + ingressClient textensionsv1b1.IngressInterface + hpaClient tautoscaling.HorizontalPodAutoscalerInterface + Namespace string } func New(namespace string, inCluster bool) (*Client, error) { @@ -80,6 +81,7 @@ func New(namespace string, inCluster bool) (*Client, error) { client.podClient = client.clientset.CoreV1().Pods(namespace) client.serviceClient = client.clientset.CoreV1().Services(namespace) + client.istioServiceClient = client.clientset.CoreV1().Services("istio-system") client.deploymentClient = client.clientset.AppsV1beta1().Deployments(namespace) client.jobClient = client.clientset.BatchV1().Jobs(namespace) client.ingressClient = client.clientset.ExtensionsV1beta1().Ingresses(namespace) diff --git a/pkg/lib/k8s/service.go b/pkg/lib/k8s/service.go index 2e8f7d7b1a..edf877c3a2 100644 --- a/pkg/lib/k8s/service.go +++ b/pkg/lib/k8s/service.go @@ -93,6 +93,18 @@ func (c *Client) GetService(name string) (*corev1.Service, error) { return service, nil } +func (c *Client) GetIstioService(name string) (*corev1.Service, error) { + service, err := c.istioServiceClient.Get(name, metav1.GetOptions{}) + if k8serrors.IsNotFound(err) { + return nil, nil + } + if err != nil { + return nil, errors.WithStack(err) + } + service.TypeMeta = serviceTypeMeta + return service, nil +} + func (c *Client) DeleteService(name string) (bool, error) { err := c.serviceClient.Delete(name, deleteOpts) if k8serrors.IsNotFound(err) { diff --git a/pkg/operator/workloads/api.go b/pkg/operator/workloads/api.go index dc3f17bda9..8b77f07b36 100644 --- a/pkg/operator/workloads/api.go +++ b/pkg/operator/workloads/api.go @@ -506,7 +506,7 @@ func internalAPIName(apiName string, appName string) string { } func APIsBaseURL() (string, error) { - service, err := config.Kubernetes.GetService("nginx-controller-apis") + service, err := config.Kubernetes.GetIstioService("istio-ingressgateway") if err != nil { return "", err } From a1d2c4dc23f8569876aa19da686c9b23b50b45d4 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 12 Jul 2019 11:24:14 -0400 Subject: [PATCH 02/68] progress --- cortex.sh | 4 +- manager/info.sh | 4 +- manager/install_cortex.sh | 9 +- manager/manifests/apis.yaml | 31 ++++++ manager/manifests/istio/values.yaml | 94 +++++++++++++++- manager/manifests/operator.yaml | 2 +- pkg/lib/k8s/virtual_service.go | 160 ++++++++++++++++++++++++++++ pkg/operator/operator.go | 7 ++ pkg/operator/workloads/api.go | 33 +++--- pkg/operator/workloads/workflow.go | 2 + 10 files changed, 319 insertions(+), 27 deletions(-) create mode 100644 manager/manifests/apis.yaml create mode 100644 pkg/lib/k8s/virtual_service.go diff --git a/cortex.sh b/cortex.sh index 43209a707f..af2b882d99 100755 --- a/cortex.sh +++ b/cortex.sh @@ -429,7 +429,7 @@ if [ "$arg1" = "install" ]; then show_help exit 1 elif [ "$arg2" = "" ]; then - prompt_for_telemetry && install_eks && install_cortex && info + prompt_for_telemetry && install_cortex && info elif [ "$arg2" = "cli" ]; then install_cli elif [ "$arg2" = "" ]; then @@ -447,7 +447,7 @@ elif [ "$arg1" = "uninstall" ]; then show_help exit 1 elif [ "$arg2" = "" ]; then - uninstall_cortex && uninstall_eks + uninstall_cortex elif [ "$arg2" = "cli" ]; then uninstall_cli elif [ "$arg2" = "" ]; then diff --git a/manager/info.sh b/manager/info.sh index b3374b0acb..0a9b06a79d 100755 --- a/manager/info.sh +++ b/manager/info.sh @@ -18,12 +18,12 @@ set -e function get_operator_endpoint() { set -eo pipefail - kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/' + kubectl -n=istio-system get service operator-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/' } function get_apis_endpoint() { set -eo pipefail - kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/' + kubectl -n=istio-system get service apis-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/' } eksctl utils write-kubeconfig --name=$CORTEX_CLUSTER --region=$CORTEX_REGION | grep -v "saved kubeconfig as" || true diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index f10c96edec..84b023309b 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -107,7 +107,7 @@ function validate_cortex() { fi if [ "$operator_load_balancer" != "ready" ]; then - out=$(kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]') + out=$(kubectl -n=istio-system get service operator-ingressgateway -o json | tr -d '[:space:]') if [[ $out != *'"loadBalancer":{"ingress":[{"'* ]]; then echo "operator loadbalancer not ready" continue @@ -116,7 +116,7 @@ function validate_cortex() { fi if [ "$api_load_balancer" != "ready" ]; then - out=$(kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]') + out=$(kubectl -n=istio-system get service apis-ingressgateway -o json | tr -d '[:space:]') if [[ $out != *'"loadBalancer":{"ingress":[{"'* ]]; then echo "api loadbalancer not ready" continue @@ -125,7 +125,7 @@ function validate_cortex() { fi if [ "$operator_endpoint" = "" ]; then - operator_endpoint=$(kubectl -n=istio-system get service istio-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/') + operator_endpoint=$(kubectl -n=istio-system get service operator-ingressgateway -o json | tr -d '[:space:]' | sed 's/.*{\"hostname\":\"\(.*\)\".*/\1/') fi if [ "$operator_endpoint_reachable" != "ready" ]; then @@ -136,7 +136,7 @@ function validate_cortex() { fi if [ "$operator_pod_ready_cycles" == "0" ] && [ "$operator_pod_name" != "" ]; then - num_restart=$(kubectl -n=istio-gateway get "$operator_pod_name" -o jsonpath='{.status.containerStatuses[0].restartCount}') + num_restart=$(kubectl -n=$CORTEX_NAMESPACE get "$operator_pod_name" -o jsonpath='{.status.containerStatuses[0].restartCount}') if [[ $num_restart -ge 2 ]]; then echo -e "\n\nAn error occurred when starting the Cortex operator. View the logs with:" echo " kubectl logs $operator_pod_name --namespace=$CORTEX_NAMESPACE" @@ -182,6 +182,7 @@ helm template manifests/istio --name istio --namespace istio-system | kubectl ap kubectl label namespace cortex istio-injection=enabled envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null +envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null envsubst < manifests/cluster-autoscaler.yaml | kubectl apply -f - >/dev/null envsubst < manifests/metrics-server.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/apis.yaml b/manager/manifests/apis.yaml new file mode 100644 index 0000000000..1e629296ee --- /dev/null +++ b/manager/manifests/apis.yaml @@ -0,0 +1,31 @@ +# Copyright 2019 Cortex Labs, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: apis-gateway + namespace: $CORTEX_NAMESPACE +spec: + selector: + istio: apis-ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + +--- diff --git a/manager/manifests/istio/values.yaml b/manager/manifests/istio/values.yaml index ac078352f4..0b66647f52 100644 --- a/manager/manifests/istio/values.yaml +++ b/manager/manifests/istio/values.yaml @@ -13,6 +13,92 @@ # gateways: enabled: true + operator-ingressgateway: + namespace: istio-system + enabled: true + labels: + app: operator-istio-gateway + istio: operator-ingressgateway + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 2 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 1800m + memory: 256Mi + type: LoadBalancer + ports: + - port: 80 + targetPort: 80 + name: http2 + - port: 443 + name: https + - port: 31400 + name: tcp + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + - port: 15029 + targetPort: 15029 + name: http2-kiali + - port: 15030 + targetPort: 15030 + name: http2-prometheus + - port: 15031 + targetPort: 15031 + name: http2-grafana + - port: 15032 + targetPort: 15032 + name: http2-tracing + tracing: + enabled: true + secretVolumes: + - name: customgateway-certs + secretName: istio-customgateway-certs + mountPath: /etc/istio/customgateway-certs + - name: customgateway-ca-certs + secretName: istio-customgateway-ca-certs + mountPath: /etc/istio/customgateway-ca-certs + apis-ingressgateway: + namespace: istio-system + enabled: true + labels: + app: apis-istio-gateway + istio: apis-ingressgateway + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 2 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 1800m + memory: 256Mi + type: LoadBalancer + ports: + - port: 80 + targetPort: 80 + name: http2 + - port: 443 + name: https + - port: 31400 + name: tcp + tracing: + enabled: true + secretVolumes: + - name: customgateway-certs + secretName: istio-customgateway-certs + mountPath: /etc/istio/customgateway-certs + - name: customgateway-ca-certs + secretName: istio-customgateway-ca-certs + mountPath: /etc/istio/customgateway-ca-certs # # sidecar-injector webhook configuration, refer to the @@ -87,7 +173,7 @@ kiali: # certmanager: enabled: false - + # # Istio CNI plugin enabled # This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately. @@ -235,7 +321,7 @@ global: # available to scrape via the Envoy admin port at either /stats or /stats/prometheus. # # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto - # for details about Envoy's Metrics Service API. + # for details about Envoy's Metrics Service API. # # Disabled by default. envoyMetricsService: @@ -410,7 +496,7 @@ global: # services or ServiceEntries for the destination port # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well # as those defined through ServiceEntries - # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests + # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests # to services outside of the mesh without any ServiceEntry. # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY. outboundTrafficPolicy: @@ -425,7 +511,7 @@ global: # rules should be exported to. Currently only one value can be provided in this list. This value # should be one of the following two options: # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host #defaultConfigVisibilitySettings: #- '*' diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 7140398101..86a4148f0c 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -113,7 +113,7 @@ metadata: namespace: $CORTEX_NAMESPACE spec: selector: - istio: ingressgateway + istio: operator-ingressgateway servers: - port: number: 80 diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go new file mode 100644 index 0000000000..f219b50b10 --- /dev/null +++ b/pkg/lib/k8s/virtual_service.go @@ -0,0 +1,160 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package k8s + +import ( + "github.com/cortexlabs/cortex/pkg/lib/errors" + v1beta1 "k8s.io/api/extensions/v1beta1" + k8serrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + intstr "k8s.io/apimachinery/pkg/util/intstr" +) + +var VirtualServiceTypeMeta = metav1.TypeMeta{ + APIVersion: "networking.istio.io/v1alpha3", + Kind: "VirtualService", +} + +type IngressSpec struct { + Name string + Namespace string + IngressClass string + ServiceName string + ServicePort int32 + Path string + Labels map[string]string +} + +func Ingress(spec *IngressSpec) *v1beta1.Ingress { + if spec.Namespace == "" { + spec.Namespace = "default" + } + ingress := &v1beta1.Ingress{ + TypeMeta: ingressTypeMeta, + ObjectMeta: metav1.ObjectMeta{ + Name: spec.Name, + Namespace: spec.Namespace, + Annotations: map[string]string{ + "kubernetes.io/ingress.class": spec.IngressClass, + "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "https", + }, + Labels: spec.Labels, + }, + Spec: v1beta1.IngressSpec{ + Rules: []v1beta1.IngressRule{ + { + IngressRuleValue: v1beta1.IngressRuleValue{ + HTTP: &v1beta1.HTTPIngressRuleValue{ + Paths: []v1beta1.HTTPIngressPath{ + { + Path: spec.Path, + Backend: v1beta1.IngressBackend{ + ServiceName: spec.ServiceName, + ServicePort: intstr.IntOrString{ + IntVal: spec.ServicePort, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } + return ingress +} + +func (c *Client) CreateIngress(spec *IngressSpec) (*v1beta1.Ingress, error) { + ingress, err := c.ingressClient.Create(Ingress(spec)) + if err != nil { + return nil, errors.WithStack(err) + } + return ingress, nil +} + +func (c *Client) UpdateIngress(ingress *v1beta1.Ingress) (*v1beta1.Ingress, error) { + ingress, err := c.ingressClient.Update(ingress) + if err != nil { + return nil, errors.WithStack(err) + } + return ingress, nil +} + +func (c *Client) GetIngress(name string) (*v1beta1.Ingress, error) { + ingress, err := c.ingressClient.Get(name, metav1.GetOptions{}) + if k8serrors.IsNotFound(err) { + return nil, nil + } + if err != nil { + return nil, errors.WithStack(err) + } + ingress.TypeMeta = ingressTypeMeta + return ingress, nil +} + +func (c *Client) DeleteIngress(name string) (bool, error) { + err := c.ingressClient.Delete(name, deleteOpts) + if k8serrors.IsNotFound(err) { + return false, nil + } + if err != nil { + return false, errors.WithStack(err) + } + return true, nil +} + +func (c *Client) IngressExists(name string) (bool, error) { + ingress, err := c.GetIngress(name) + if err != nil { + return false, err + } + return ingress != nil, nil +} + +func (c *Client) ListIngresses(opts *metav1.ListOptions) ([]v1beta1.Ingress, error) { + if opts == nil { + opts = &metav1.ListOptions{} + } + ingressList, err := c.ingressClient.List(*opts) + if err != nil { + return nil, errors.WithStack(err) + } + for i := range ingressList.Items { + ingressList.Items[i].TypeMeta = ingressTypeMeta + } + return ingressList.Items, nil +} + +func (c *Client) ListIngressesByLabels(labels map[string]string) ([]v1beta1.Ingress, error) { + opts := &metav1.ListOptions{ + LabelSelector: LabelSelector(labels), + } + return c.ListIngresses(opts) +} + +func (c *Client) ListIngressesByLabel(labelKey string, labelValue string) ([]v1beta1.Ingress, error) { + return c.ListIngressesByLabels(map[string]string{labelKey: labelValue}) +} + +func IngressMap(ingresses []v1beta1.Ingress) map[string]v1beta1.Ingress { + ingressMap := map[string]v1beta1.Ingress{} + for _, ingress := range ingresses { + ingressMap[ingress.Name] = ingress + } + return ingressMap +} diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 6c117a0bf5..a316fb3d4f 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -74,6 +74,7 @@ func main() { router.Use(apiVersionCheckMiddleware) router.Use(authMiddleware) + router.HandleFunc("/", Index).Methods("GET") router.HandleFunc("/deploy", endpoints.Deploy).Methods("POST") router.HandleFunc("/delete", endpoints.Delete).Methods("POST") router.HandleFunc("/resources", endpoints.GetResources).Methods("GET") @@ -84,6 +85,12 @@ func main() { log.Fatal(http.ListenAndServe(":"+operatorPortStr, router)) } +func Index(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "text/plain") + w.WriteHeader(http.StatusOK) + w.Write([]byte(".")) +} + func panicMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { defer endpoints.RecoverAndRespond(w) diff --git a/pkg/operator/workloads/api.go b/pkg/operator/workloads/api.go index 8b77f07b36..bb4d6d7bbf 100644 --- a/pkg/operator/workloads/api.go +++ b/pkg/operator/workloads/api.go @@ -76,11 +76,15 @@ func tfAPISpec( "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, + "service": WorkloadTypeAPI, + "app": WorkloadTypeAPI, }, Selector: map[string]string{ "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, "apiName": api.Name, + "service": WorkloadTypeAPI, + "app": WorkloadTypeAPI, }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ @@ -90,6 +94,8 @@ func tfAPISpec( "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, "userFacing": "true", + "service": WorkloadTypeAPI, + "app": WorkloadTypeAPI, }, K8sPodSpec: corev1.PodSpec{ Containers: []corev1.Container{ @@ -187,11 +193,15 @@ func onnxAPISpec( "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, + "service": WorkloadTypeAPI, + "app": WorkloadTypeAPI, }, Selector: map[string]string{ "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, "apiName": api.Name, + "service": WorkloadTypeAPI, + "app": WorkloadTypeAPI, }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ @@ -201,6 +211,8 @@ func onnxAPISpec( "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, "userFacing": "true", + "service": WorkloadTypeAPI, + "app": WorkloadTypeAPI, }, K8sPodSpec: corev1.PodSpec{ Containers: []corev1.Container{ @@ -271,6 +283,8 @@ func serviceSpec(ctx *context.Context, api *context.API) *k8s.ServiceSpec { "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, "apiName": api.Name, + "service": WorkloadTypeAPI, + "app": WorkloadTypeAPI, }, Selector: map[string]string{ "appName": ctx.App.Name, @@ -430,26 +444,17 @@ func deleteOldAPIs(ctx *context.Context) { func createServicesAndIngresses(ctx *context.Context) error { for _, api := range ctx.APIs { - ingressExists, err := config.Kubernetes.IngressExists(internalAPIName(api.Name, ctx.App.Name)) - if err != nil { - return errors.Wrap(err, ctx.App.Name, "ingresses", api.Name, "create") - } - if !ingressExists { - _, err = config.Kubernetes.CreateIngress(ingressSpec(ctx, api)) - if err != nil { - return errors.Wrap(err, ctx.App.Name, "ingresses", api.Name, "create") - } - } - serviceExists, err := config.Kubernetes.ServiceExists(internalAPIName(api.Name, ctx.App.Name)) if err != nil { return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") } if !serviceExists { - _, err = config.Kubernetes.CreateService(serviceSpec(ctx, api)) - if err != nil { + if _, err := config.Kubernetes.CreateService(serviceSpec(ctx, api)); err != nil { return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") } + if _, err := config.Kubernetes; err != nil { + return errors.Wrap(err, ctx.App.Name, "virtualservices", api.Name, "create") + } } } return nil @@ -506,7 +511,7 @@ func internalAPIName(apiName string, appName string) string { } func APIsBaseURL() (string, error) { - service, err := config.Kubernetes.GetIstioService("istio-ingressgateway") + service, err := config.Kubernetes.GetIstioService("apis-ingressgateway") if err != nil { return "", err } diff --git a/pkg/operator/workloads/workflow.go b/pkg/operator/workloads/workflow.go index 526d71ee4f..73f3b289f7 100644 --- a/pkg/operator/workloads/workflow.go +++ b/pkg/operator/workloads/workflow.go @@ -153,6 +153,8 @@ func Create(ctx *context.Context) (*awfv1.Workflow, error) { "appName": ctx.App.Name, "workloadType": spec.WorkloadType, "workloadID": spec.WorkloadID, + "service": spec.WorkloadType, + "app": spec.WorkloadType, }, }) From 556dfb0708e9cbbb2b2b64a3f42b1f628442afbe Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 17 Jul 2019 02:13:31 -0400 Subject: [PATCH 03/68] WORKING --- Makefile | 2 +- go.mod | 1 + go.sum | 2 + images/argo-executor/Dockerfile | 5 +- manager/install_cortex.sh | 4 +- manager/manifests/apis.yaml | 3 +- manager/manifests/istio/values.yaml | 18 +++ manager/manifests/operator.yaml | 14 +-- manager/uninstall_cortex.sh | 2 +- pkg/lib/k8s/deployment.go | 1 + pkg/lib/k8s/k8s.go | 7 ++ pkg/lib/k8s/service.go | 8 +- pkg/lib/k8s/virtual_service.go | 164 ++++++++-------------------- pkg/operator/workloads/api.go | 88 +++++++-------- pkg/operator/workloads/workflow.go | 8 +- pkg/workloads/lib/storage/s3.py | 2 +- pkg/workloads/tf_api/api.py | 16 ++- 17 files changed, 156 insertions(+), 189 deletions(-) diff --git a/Makefile b/Makefile index bcd3c5ade0..125176ca4e 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ killdev: kubectl: @eksctl utils write-kubeconfig --name="cortex" - @kubectl config set-context --current --namespace="cortex" + @kubectl config set-context --current --namespace="default" cortex-up: @$(MAKE) registry-all diff --git a/go.mod b/go.mod index eac3486535..f849563e1e 100644 --- a/go.mod +++ b/go.mod @@ -34,6 +34,7 @@ require ( github.com/gorilla/websocket v1.4.0 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/imdario/mergo v0.3.7 // indirect + github.com/istio/api v0.0.0-20190711203913-5c33284f6906 github.com/json-iterator/go v1.1.6 // indirect github.com/mitchellh/go-homedir v1.1.0 github.com/modern-go/reflect2 v1.0.1 // indirect diff --git a/go.sum b/go.sum index fb2c8abb42..738487df41 100644 --- a/go.sum +++ b/go.sum @@ -68,6 +68,8 @@ github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/istio/api v0.0.0-20190711203913-5c33284f6906 h1:wvePzr0ybDl+16mLMDKdRTC1T4t50DXvzw3YMOwydaM= +github.com/istio/api v0.0.0-20190711203913-5c33284f6906/go.mod h1:OzoozMDGP4fCnX+BzpeubbnZuK2aErt/1OxNAZ4w1nM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= diff --git a/images/argo-executor/Dockerfile b/images/argo-executor/Dockerfile index a0fe2c43bc..77db94ff30 100644 --- a/images/argo-executor/Dockerfile +++ b/images/argo-executor/Dockerfile @@ -1 +1,4 @@ -FROM argoproj/argoexec:v2.3.0 +FROM ubuntu:16.04 +ENV argoexec='/bin/sleep 10000000' +RUN echo "yolo" > "/bin/argoexec" +ENTRYPOINT ["/bin/sleep", "1000000"] diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 84b023309b..ca79859a26 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -166,7 +166,7 @@ echo "Installing Cortex ..." setup_bucket setup_cloudwatch_logs -envsubst < manifests/namespace.yaml | kubectl apply -f - >/dev/null +# envsubst < manifests/namespace.yaml | kubectl apply -f - >/dev/null setup_configmap setup_secrets @@ -179,7 +179,7 @@ kubectl create namespace istio-system helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - sleep 20 helm template manifests/istio --name istio --namespace istio-system | kubectl apply -f - -kubectl label namespace cortex istio-injection=enabled +# kubectl label namespace cortex istio-injection=enabled envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/apis.yaml b/manager/manifests/apis.yaml index 1e629296ee..e6c600b56f 100644 --- a/manager/manifests/apis.yaml +++ b/manager/manifests/apis.yaml @@ -16,10 +16,9 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: apis-gateway - namespace: $CORTEX_NAMESPACE spec: selector: - istio: apis-ingressgateway + istio: ingressgateway servers: - port: number: 80 diff --git a/manager/manifests/istio/values.yaml b/manager/manifests/istio/values.yaml index 0b66647f52..20ac9f7e64 100644 --- a/manager/manifests/istio/values.yaml +++ b/manager/manifests/istio/values.yaml @@ -90,6 +90,24 @@ gateways: name: https - port: 31400 name: tcp + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + - port: 15029 + targetPort: 15029 + name: http2-kiali + - port: 15030 + targetPort: 15030 + name: http2-prometheus + - port: 15031 + targetPort: 15031 + name: http2-grafana + - port: 15032 + targetPort: 15032 + name: http2-tracing tracing: enabled: true secretVolumes: diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 86a4148f0c..37b1ec65aa 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -122,7 +122,6 @@ spec: hosts: - "*" - --- apiVersion: networking.istio.io/v1alpha3 @@ -136,11 +135,8 @@ spec: gateways: - operator-gateway http: - - match: - - uri: - prefix: / - route: - - destination: - host: operator - port: - number: 8888 + - route: + - destination: + host: operator + port: + number: 8888 diff --git a/manager/uninstall_cortex.sh b/manager/uninstall_cortex.sh index f281459afc..4c2ac229cc 100755 --- a/manager/uninstall_cortex.sh +++ b/manager/uninstall_cortex.sh @@ -31,7 +31,7 @@ fi kubectl delete --ignore-not-found=true customresourcedefinition scheduledsparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 kubectl delete --ignore-not-found=true customresourcedefinition sparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 kubectl delete --ignore-not-found=true customresourcedefinition workflows.argoproj.io >/dev/null 2>&1 -kubectl delete --ignore-not-found=true namespace $CORTEX_NAMESPACE >/dev/null 2>&1 kubectl delete --ignore-not-found=true namespace istio-system >/dev/null 2>&1 +kubectl delete --ignore-not-found=true namespace $CORTEX_NAMESPACE >/dev/null 2>&1 echo "✓ Uninstalled Cortex" diff --git a/pkg/lib/k8s/deployment.go b/pkg/lib/k8s/deployment.go index 574c5d3816..6c5050e2d1 100644 --- a/pkg/lib/k8s/deployment.go +++ b/pkg/lib/k8s/deployment.go @@ -34,6 +34,7 @@ var deploymentTypeMeta = metav1.TypeMeta{ const DeploymentSuccessConditionAll = "!status.unavailableReplicas" type DeploymentSpec struct { + Spec *DeploymentSpec Name string Namespace string Replicas int32 diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index c1d749e9f1..a881079f2b 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -23,6 +23,7 @@ import ( k8sresource "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/dynamic" "k8s.io/client-go/kubernetes" tappsv1b1 "k8s.io/client-go/kubernetes/typed/apps/v1beta1" tautoscaling "k8s.io/client-go/kubernetes/typed/autoscaling/v1" @@ -51,6 +52,7 @@ type Client struct { podClient tcorev1.PodInterface serviceClient tcorev1.ServiceInterface istioServiceClient tcorev1.ServiceInterface + dynamicClient dynamic.Interface deploymentClient tappsv1b1.DeploymentInterface jobClient tbatchv1.JobInterface ingressClient textensionsv1b1.IngressInterface @@ -79,6 +81,11 @@ func New(namespace string, inCluster bool) (*Client, error) { return nil, errors.Wrap(err, "kubeconfig") } + client.dynamicClient, err = dynamic.NewForConfig(client.RestConfig) + if err != nil { + return nil, errors.Wrap(err, "kubeconfig") + } + client.podClient = client.clientset.CoreV1().Pods(namespace) client.serviceClient = client.clientset.CoreV1().Services(namespace) client.istioServiceClient = client.clientset.CoreV1().Services("istio-system") diff --git a/pkg/lib/k8s/service.go b/pkg/lib/k8s/service.go index edf877c3a2..c1afa3f6ce 100644 --- a/pkg/lib/k8s/service.go +++ b/pkg/lib/k8s/service.go @@ -21,7 +21,6 @@ import ( corev1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - intstr "k8s.io/apimachinery/pkg/util/intstr" ) var serviceTypeMeta = metav1.TypeMeta{ @@ -53,11 +52,8 @@ func Service(spec *ServiceSpec) *corev1.Service { Selector: spec.Selector, Ports: []corev1.ServicePort{ { - Protocol: corev1.ProtocolTCP, - Port: spec.Port, - TargetPort: intstr.IntOrString{ - IntVal: spec.TargetPort, - }, + Port: spec.Port, + Name: "http", }, }, }, diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index f219b50b10..d68922dec9 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -1,3 +1,5 @@ +package k8s + /* Copyright 2019 Cortex Labs, Inc. @@ -14,61 +16,52 @@ See the License for the specific language governing permissions and limitations under the License. */ -package k8s - import ( "github.com/cortexlabs/cortex/pkg/lib/errors" - v1beta1 "k8s.io/api/extensions/v1beta1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - intstr "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" ) -var VirtualServiceTypeMeta = metav1.TypeMeta{ - APIVersion: "networking.istio.io/v1alpha3", +var virtualServiceTypeMeta = metav1.TypeMeta{ + APIVersion: "v1alpha3", Kind: "VirtualService", } -type IngressSpec struct { - Name string - Namespace string - IngressClass string - ServiceName string - ServicePort int32 - Path string - Labels map[string]string +type VirtualServiceSpec struct { + Name string + Namespace string + Gateways []string + ServiceName string + ServicePort int32 + Path string + Labels map[string]string } -func Ingress(spec *IngressSpec) *v1beta1.Ingress { - if spec.Namespace == "" { - spec.Namespace = "default" +func VirtualService(spec *VirtualServiceSpec) *unstructured.Unstructured { + virtualServceConfig := &unstructured.Unstructured{} + virtualServceConfig.SetGroupVersionKind(schema.GroupVersionKind{ + Group: "networking.istio.io", + Version: "v1alpha3", + Kind: "VirtualService", + }) + virtualServceConfig.SetName(spec.Name) + virtualServceConfig.SetNamespace(spec.Namespace) + virtualServceConfig.Object["metadata"] = map[string]interface{}{ + "name": spec.Name, + "namespace": spec.Namespace, } - ingress := &v1beta1.Ingress{ - TypeMeta: ingressTypeMeta, - ObjectMeta: metav1.ObjectMeta{ - Name: spec.Name, - Namespace: spec.Namespace, - Annotations: map[string]string{ - "kubernetes.io/ingress.class": spec.IngressClass, - "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "https", - }, - Labels: spec.Labels, - }, - Spec: v1beta1.IngressSpec{ - Rules: []v1beta1.IngressRule{ - { - IngressRuleValue: v1beta1.IngressRuleValue{ - HTTP: &v1beta1.HTTPIngressRuleValue{ - Paths: []v1beta1.HTTPIngressPath{ - { - Path: spec.Path, - Backend: v1beta1.IngressBackend{ - ServiceName: spec.ServiceName, - ServicePort: intstr.IntOrString{ - IntVal: spec.ServicePort, - }, - }, - }, + virtualServceConfig.Object["spec"] = map[string]interface{}{ + "hosts": []string{"*"}, + "gateways": spec.Gateways, + "http": []map[string]interface{}{ + map[string]interface{}{ + "route": []map[string]interface{}{ + map[string]interface{}{ + "destination": map[string]interface{}{ + "host": spec.ServiceName, + "port": map[string]interface{}{ + "number": spec.ServicePort, }, }, }, @@ -76,85 +69,22 @@ func Ingress(spec *IngressSpec) *v1beta1.Ingress { }, }, } - return ingress -} - -func (c *Client) CreateIngress(spec *IngressSpec) (*v1beta1.Ingress, error) { - ingress, err := c.ingressClient.Create(Ingress(spec)) - if err != nil { - return nil, errors.WithStack(err) - } - return ingress, nil -} - -func (c *Client) UpdateIngress(ingress *v1beta1.Ingress) (*v1beta1.Ingress, error) { - ingress, err := c.ingressClient.Update(ingress) - if err != nil { - return nil, errors.WithStack(err) - } - return ingress, nil -} - -func (c *Client) GetIngress(name string) (*v1beta1.Ingress, error) { - ingress, err := c.ingressClient.Get(name, metav1.GetOptions{}) - if k8serrors.IsNotFound(err) { - return nil, nil - } - if err != nil { - return nil, errors.WithStack(err) - } - ingress.TypeMeta = ingressTypeMeta - return ingress, nil -} -func (c *Client) DeleteIngress(name string) (bool, error) { - err := c.ingressClient.Delete(name, deleteOpts) - if k8serrors.IsNotFound(err) { - return false, nil - } - if err != nil { - return false, errors.WithStack(err) - } - return true, nil + return virtualServceConfig } -func (c *Client) IngressExists(name string) (bool, error) { - ingress, err := c.GetIngress(name) - if err != nil { - return false, err +func (c *Client) CreateVirtualService(spec *VirtualServiceSpec) (*unstructured.Unstructured, error) { + virtualServiceGVR := schema.GroupVersionResource{ + Group: "networking.istio.io", + Version: "v1alpha3", + Resource: "virtualservices", } - return ingress != nil, nil -} -func (c *Client) ListIngresses(opts *metav1.ListOptions) ([]v1beta1.Ingress, error) { - if opts == nil { - opts = &metav1.ListOptions{} - } - ingressList, err := c.ingressClient.List(*opts) + service, err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(spec.Namespace).Create(VirtualService(spec), metav1.CreateOptions{ + TypeMeta: virtualServiceTypeMeta, + }) if err != nil { return nil, errors.WithStack(err) } - for i := range ingressList.Items { - ingressList.Items[i].TypeMeta = ingressTypeMeta - } - return ingressList.Items, nil -} - -func (c *Client) ListIngressesByLabels(labels map[string]string) ([]v1beta1.Ingress, error) { - opts := &metav1.ListOptions{ - LabelSelector: LabelSelector(labels), - } - return c.ListIngresses(opts) -} - -func (c *Client) ListIngressesByLabel(labelKey string, labelValue string) ([]v1beta1.Ingress, error) { - return c.ListIngressesByLabels(map[string]string{labelKey: labelValue}) -} - -func IngressMap(ingresses []v1beta1.Ingress) map[string]v1beta1.Ingress { - ingressMap := map[string]v1beta1.Ingress{} - for _, ingress := range ingresses { - ingressMap[ingress.Name] = ingress - } - return ingressMap + return service, nil } diff --git a/pkg/operator/workloads/api.go b/pkg/operator/workloads/api.go index bb4d6d7bbf..15eea3764c 100644 --- a/pkg/operator/workloads/api.go +++ b/pkg/operator/workloads/api.go @@ -45,7 +45,7 @@ func tfAPISpec( api *context.API, workloadID string, desiredReplicas int32, -) *appsv1b1.Deployment { +) *k8s.DeploymentSpec { transformResourceList := corev1.ResourceList{} tfServingResourceList := corev1.ResourceList{} tfServingLimitsList := corev1.ResourceList{} @@ -66,36 +66,26 @@ func tfAPISpec( tfServingResourceList["nvidia.com/gpu"] = *k8sresource.NewQuantity(api.Compute.GPU, k8sresource.DecimalSI) tfServingLimitsList["nvidia.com/gpu"] = *k8sresource.NewQuantity(api.Compute.GPU, k8sresource.DecimalSI) } - - return k8s.Deployment(&k8s.DeploymentSpec{ - Name: internalAPIName(api.Name, ctx.App.Name), + spec := &k8s.DeploymentSpec{ + Name: WorkloadTypeAPI, Replicas: desiredReplicas, Labels: map[string]string{ - "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, - "apiName": api.Name, - "resourceID": ctx.APIs[api.Name].ID, - "workloadID": workloadID, - "service": WorkloadTypeAPI, + "workloadId": WorkloadTypeAPI, "app": WorkloadTypeAPI, + "version": "v1", }, Selector: map[string]string{ - "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, - "apiName": api.Name, - "service": WorkloadTypeAPI, "app": WorkloadTypeAPI, + "version": "v1", }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ - "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, - "apiName": api.Name, - "resourceID": ctx.APIs[api.Name].ID, - "workloadID": workloadID, - "userFacing": "true", - "service": WorkloadTypeAPI, + "workloadId": WorkloadTypeAPI, "app": WorkloadTypeAPI, + "version": "v1", }, K8sPodSpec: corev1.PodSpec{ Containers: []corev1.Container{ @@ -132,6 +122,11 @@ func tfAPISpec( Resources: corev1.ResourceRequirements{ Requests: transformResourceList, }, + Ports: []corev1.ContainerPort{ + { + ContainerPort: 8888, + }, + }, }, { Name: tfServingContainerName, @@ -161,14 +156,21 @@ func tfAPISpec( Requests: tfServingResourceList, Limits: tfServingLimitsList, }, + Ports: []corev1.ContainerPort{ + { + ContainerPort: tfServingPortInt32, + }, + }, }, }, Volumes: k8s.DefaultVolumes(), - ServiceAccountName: "default", + ServiceAccountName: "operator", }, }, Namespace: config.Cortex.Namespace, - }) + } + //return k8s.Deployment(spec) + return spec } func onnxAPISpec( @@ -258,38 +260,29 @@ func onnxAPISpec( }) } -func ingressSpec(ctx *context.Context, api *context.API) *k8s.IngressSpec { - return &k8s.IngressSpec{ - Name: internalAPIName(api.Name, ctx.App.Name), - ServiceName: internalAPIName(api.Name, ctx.App.Name), - ServicePort: defaultPortInt32, - Path: context.APIPath(api.Name, ctx.App.Name), - IngressClass: "apis", - Labels: map[string]string{ - "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, - "apiName": api.Name, - }, - Namespace: config.Cortex.Namespace, +func virtualServiceSpec(ctx *context.Context, api *context.API) *k8s.VirtualServiceSpec { + return &k8s.VirtualServiceSpec{ + Name: WorkloadTypeAPI, + Namespace: config.Cortex.Namespace, + Gateways: []string{"apis-gateway"}, + ServiceName: WorkloadTypeAPI, + ServicePort: defaultPortInt32, + Path: context.APIPath(api.Name, ctx.App.Name), } } func serviceSpec(ctx *context.Context, api *context.API) *k8s.ServiceSpec { return &k8s.ServiceSpec{ - Name: internalAPIName(api.Name, ctx.App.Name), - Port: defaultPortInt32, - TargetPort: defaultPortInt32, + Name: WorkloadTypeAPI, + Port: defaultPortInt32, Labels: map[string]string{ - "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, - "apiName": api.Name, + "workloadId": WorkloadTypeAPI, "service": WorkloadTypeAPI, "app": WorkloadTypeAPI, }, Selector: map[string]string{ - "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, - "apiName": api.Name, + "app": WorkloadTypeAPI, }, Namespace: config.Cortex.Namespace, } @@ -351,7 +344,7 @@ func apiWorkloadSpecs(ctx *context.Context) ([]*WorkloadSpec, error) { switch api.ModelFormat { case userconfig.TensorFlowModelFormat: - spec = tfAPISpec(ctx, api, workloadID, desiredReplicas) + //spec = tfAPISpec(ctx, api, workloadID, desiredReplicas) case userconfig.ONNXModelFormat: spec = onnxAPISpec(ctx, api, workloadID, desiredReplicas) default: @@ -444,6 +437,9 @@ func deleteOldAPIs(ctx *context.Context) { func createServicesAndIngresses(ctx *context.Context) error { for _, api := range ctx.APIs { + if api.ModelFormat != userconfig.TensorFlowModelFormat { + continue + } serviceExists, err := config.Kubernetes.ServiceExists(internalAPIName(api.Name, ctx.App.Name)) if err != nil { return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") @@ -452,10 +448,16 @@ func createServicesAndIngresses(ctx *context.Context) error { if _, err := config.Kubernetes.CreateService(serviceSpec(ctx, api)); err != nil { return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") } - if _, err := config.Kubernetes; err != nil { + if _, err := config.Kubernetes.CreateVirtualService(virtualServiceSpec(ctx, api)); err != nil { return errors.Wrap(err, ctx.App.Name, "virtualservices", api.Name, "create") } } + + spec := tfAPISpec(ctx, api, WorkloadTypeAPI, 1) + if _, err := config.Kubernetes.CreateDeployment(spec); err != nil { + return errors.Wrap(err, "yolo") + } + } return nil } diff --git a/pkg/operator/workloads/workflow.go b/pkg/operator/workloads/workflow.go index 73f3b289f7..4fd09675ad 100644 --- a/pkg/operator/workloads/workflow.go +++ b/pkg/operator/workloads/workflow.go @@ -199,10 +199,10 @@ func Run(wf *awfv1.Workflow, ctx *context.Context, existingWf *awfv1.Workflow) e } } - err = config.Argo.Run(wf) - if err != nil { - return errors.Wrap(err, ctx.App.Name) - } + // err = config.Argo.Run(wf) + // if err != nil { + // return errors.Wrap(err, ctx.App.Name) + // } err = createServicesAndIngresses(ctx) if err != nil { diff --git a/pkg/workloads/lib/storage/s3.py b/pkg/workloads/lib/storage/s3.py index 06cc48ccf9..2d1ca4225a 100644 --- a/pkg/workloads/lib/storage/s3.py +++ b/pkg/workloads/lib/storage/s3.py @@ -174,7 +174,7 @@ def download_file(self, key, local_path): return local_path except Exception as e: raise CortexException( - 'key "{}" in bucket "{}" could not be accessed; '.format(key, bucket) + 'key "{}" in bucket "{}" could not be accessed; '.format(key, self.bucket) + "it may not exist, or you may not have suffienct permissions" ) from e diff --git a/pkg/workloads/tf_api/api.py b/pkg/workloads/tf_api/api.py index e2e3e4f8fd..8d57697eef 100644 --- a/pkg/workloads/tf_api/api.py +++ b/pkg/workloads/tf_api/api.py @@ -312,6 +312,17 @@ def prediction_failed(sample, reason=None): def health(): return jsonify({"ok": True}) +@app.route("//", methods=["GET"]) +def predict_index(deployment_name, api_name): + return jsonify({"ok": True}) + +@app.route("/", methods=["GET"]) +def index(): + return jsonify({"ok": True}) + +@app.errorhandler(404) +def page_not_found(e): + return jsonify({"not_ok": True}) @app.route("//", methods=["POST"]) def predict(deployment_name, api_name): @@ -416,8 +427,9 @@ def validate_model_dir(model_dir): def start(args): + serve(app, listen="*:{}".format(args.port)) + return ctx = Context(s3_path=args.context, cache_dir=args.cache_dir, workload_id=args.workload_id) - api = ctx.apis_id_map[args.api] local_cache["api"] = api local_cache["ctx"] = ctx @@ -497,7 +509,7 @@ def start(args): logger.info("Serving model: {}".format(util.remove_resource_ref(api["model"]))) serve(app, listen="*:{}".format(args.port)) - + return def main(): parser = argparse.ArgumentParser() From d5d16e70b2d4eed6e26de8edd47209c20d9b506b Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 17 Jul 2019 16:21:26 -0400 Subject: [PATCH 04/68] fix namespace --- Makefile | 2 +- manager/install_cortex.sh | 3 +-- manager/manifests/apis.yaml | 3 ++- manager/manifests/namespace.yaml | 2 ++ manager/manifests/operator.yaml | 23 +++++++++-------- pkg/lib/k8s/virtual_service.go | 7 ++++++ pkg/operator/workloads/api.go | 43 +++++++++++++++++++++----------- 7 files changed, 54 insertions(+), 29 deletions(-) diff --git a/Makefile b/Makefile index 125176ca4e..bcd3c5ade0 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ killdev: kubectl: @eksctl utils write-kubeconfig --name="cortex" - @kubectl config set-context --current --namespace="default" + @kubectl config set-context --current --namespace="cortex" cortex-up: @$(MAKE) registry-all diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index ca79859a26..c291e375ea 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -166,7 +166,7 @@ echo "Installing Cortex ..." setup_bucket setup_cloudwatch_logs -# envsubst < manifests/namespace.yaml | kubectl apply -f - >/dev/null +envsubst < manifests/namespace.yaml | kubectl apply -f - >/dev/null setup_configmap setup_secrets @@ -179,7 +179,6 @@ kubectl create namespace istio-system helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - sleep 20 helm template manifests/istio --name istio --namespace istio-system | kubectl apply -f - -# kubectl label namespace cortex istio-injection=enabled envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/apis.yaml b/manager/manifests/apis.yaml index e6c600b56f..1e629296ee 100644 --- a/manager/manifests/apis.yaml +++ b/manager/manifests/apis.yaml @@ -16,9 +16,10 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: apis-gateway + namespace: $CORTEX_NAMESPACE spec: selector: - istio: ingressgateway + istio: apis-ingressgateway servers: - port: number: 80 diff --git a/manager/manifests/namespace.yaml b/manager/manifests/namespace.yaml index 2bb3d82f47..31e55a8f14 100644 --- a/manager/manifests/namespace.yaml +++ b/manager/manifests/namespace.yaml @@ -16,3 +16,5 @@ apiVersion: v1 kind: Namespace metadata: name: $CORTEX_NAMESPACE + labels: + istio-injection: enabled diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 37b1ec65aa..b0b55b97e4 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -41,14 +41,14 @@ metadata: namespace: $CORTEX_NAMESPACE labels: workloadType: operator - workloadId: operator + workloadID: operator app: operator version: v1 spec: replicas: 1 selector: matchLabels: - workloadId: operator + workloadID: operator app: operator version: v1 template: @@ -56,7 +56,7 @@ spec: labels: app: operator version: v1 - workloadId: operator + workloadID: operator workloadType: operator spec: serviceAccountName: operator @@ -92,7 +92,7 @@ metadata: namespace: $CORTEX_NAMESPACE name: operator labels: - workloadId: operator + workloadID: operator workloadType: operator app: operator service: operator @@ -102,7 +102,7 @@ spec: name: http selector: app: operator - workloadId: operator + workloadID: operator --- @@ -135,8 +135,11 @@ spec: gateways: - operator-gateway http: - - route: - - destination: - host: operator - port: - number: 8888 + - match: + - uri: + prefix: / + route: + - destination: + host: operator + port: + number: 8888 diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index d68922dec9..a72a8935c5 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -56,6 +56,13 @@ func VirtualService(spec *VirtualServiceSpec) *unstructured.Unstructured { "gateways": spec.Gateways, "http": []map[string]interface{}{ map[string]interface{}{ + "match": []map[string]interface{}{ + map[string]interface{}{ + "uri": map[string]interface{}{ + "prefix": spec.Path, + }, + }, + }, "route": []map[string]interface{}{ map[string]interface{}{ "destination": map[string]interface{}{ diff --git a/pkg/operator/workloads/api.go b/pkg/operator/workloads/api.go index 15eea3764c..c70d93a19b 100644 --- a/pkg/operator/workloads/api.go +++ b/pkg/operator/workloads/api.go @@ -67,25 +67,34 @@ func tfAPISpec( tfServingLimitsList["nvidia.com/gpu"] = *k8sresource.NewQuantity(api.Compute.GPU, k8sresource.DecimalSI) } spec := &k8s.DeploymentSpec{ - Name: WorkloadTypeAPI, + Name: internalAPIName(api.Name, ctx.App.Name), Replicas: desiredReplicas, Labels: map[string]string{ + "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, - "workloadId": WorkloadTypeAPI, - "app": WorkloadTypeAPI, + "apiName": api.Name, + "resourceID": ctx.APIs[api.Name].ID, + "workloadID": workloadID, + "app": internalAPIName(api.Name, ctx.App.Name), "version": "v1", }, Selector: map[string]string{ + "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, - "app": WorkloadTypeAPI, + "app": internalAPIName(api.Name, ctx.App.Name), "version": "v1", + "apiName": api.Name, }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ + "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, - "workloadId": WorkloadTypeAPI, - "app": WorkloadTypeAPI, + "apiName": api.Name, + "resourceID": ctx.APIs[api.Name].ID, + "workloadID": workloadID, + "app": internalAPIName(api.Name, ctx.App.Name), "version": "v1", + "userFacing": "true", }, K8sPodSpec: corev1.PodSpec{ Containers: []corev1.Container{ @@ -124,7 +133,7 @@ func tfAPISpec( }, Ports: []corev1.ContainerPort{ { - ContainerPort: 8888, + ContainerPort: defaultPortInt32, }, }, }, @@ -262,10 +271,10 @@ func onnxAPISpec( func virtualServiceSpec(ctx *context.Context, api *context.API) *k8s.VirtualServiceSpec { return &k8s.VirtualServiceSpec{ - Name: WorkloadTypeAPI, + Name: internalAPIName(api.Name, ctx.App.Name), Namespace: config.Cortex.Namespace, Gateways: []string{"apis-gateway"}, - ServiceName: WorkloadTypeAPI, + ServiceName: internalAPIName(api.Name, ctx.App.Name), ServicePort: defaultPortInt32, Path: context.APIPath(api.Name, ctx.App.Name), } @@ -273,16 +282,20 @@ func virtualServiceSpec(ctx *context.Context, api *context.API) *k8s.VirtualServ func serviceSpec(ctx *context.Context, api *context.API) *k8s.ServiceSpec { return &k8s.ServiceSpec{ - Name: WorkloadTypeAPI, + Name: internalAPIName(api.Name, ctx.App.Name), Port: defaultPortInt32, Labels: map[string]string{ + "appName": ctx.App.Name, "workloadType": WorkloadTypeAPI, - "workloadId": WorkloadTypeAPI, - "service": WorkloadTypeAPI, - "app": WorkloadTypeAPI, + "apiName": api.Name, + "service": internalAPIName(api.Name, ctx.App.Name), + "app": internalAPIName(api.Name, ctx.App.Name), }, Selector: map[string]string{ - "app": WorkloadTypeAPI, + "appName": ctx.App.Name, + "workloadType": WorkloadTypeAPI, + "apiName": api.Name, + "app": internalAPIName(api.Name, ctx.App.Name), }, Namespace: config.Cortex.Namespace, } @@ -453,7 +466,7 @@ func createServicesAndIngresses(ctx *context.Context) error { } } - spec := tfAPISpec(ctx, api, WorkloadTypeAPI, 1) + spec := tfAPISpec(ctx, api, generateWorkloadID(), 1) if _, err := config.Kubernetes.CreateDeployment(spec); err != nil { return errors.Wrap(err, "yolo") } From a3fe16cb258c057b3c780320d063fd01f19aacdc Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 17 Jul 2019 16:41:28 -0400 Subject: [PATCH 05/68] cleanup --- pkg/operator/workloads/api.go | 3 --- pkg/workloads/tf_api/api.py | 8 -------- 2 files changed, 11 deletions(-) diff --git a/pkg/operator/workloads/api.go b/pkg/operator/workloads/api.go index c70d93a19b..c0bea1097c 100644 --- a/pkg/operator/workloads/api.go +++ b/pkg/operator/workloads/api.go @@ -450,9 +450,6 @@ func deleteOldAPIs(ctx *context.Context) { func createServicesAndIngresses(ctx *context.Context) error { for _, api := range ctx.APIs { - if api.ModelFormat != userconfig.TensorFlowModelFormat { - continue - } serviceExists, err := config.Kubernetes.ServiceExists(internalAPIName(api.Name, ctx.App.Name)) if err != nil { return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") diff --git a/pkg/workloads/tf_api/api.py b/pkg/workloads/tf_api/api.py index 8d57697eef..272a6c3e7d 100644 --- a/pkg/workloads/tf_api/api.py +++ b/pkg/workloads/tf_api/api.py @@ -316,14 +316,6 @@ def health(): def predict_index(deployment_name, api_name): return jsonify({"ok": True}) -@app.route("/", methods=["GET"]) -def index(): - return jsonify({"ok": True}) - -@app.errorhandler(404) -def page_not_found(e): - return jsonify({"not_ok": True}) - @app.route("//", methods=["POST"]) def predict(deployment_name, api_name): try: From b872e183ee2292a32dd11adf2b3590cdb8f2ddd7 Mon Sep 17 00:00:00 2001 From: David Eliahu Date: Wed, 17 Jul 2019 15:20:20 -0700 Subject: [PATCH 06/68] Replace argo with operator DAG manager --- Makefile | 4 - cortex.sh | 4 - dev/registry.sh | 4 - docs/cluster/config.md | 2 - docs/cluster/development.md | 2 - go.mod | 35 +- go.sum | 176 ++++----- images/argo-controller/Dockerfile | 1 - images/argo-executor/Dockerfile | 1 - manager/install_cortex.sh | 1 - manager/manifests/argo.yaml | 132 ------- manager/manifests/operator.yaml | 6 +- manager/uninstall_cortex.sh | 1 - pkg/lib/argo/argo.go | 319 ---------------- pkg/lib/debug/debug.go | 9 + pkg/lib/k8s/configmap.go | 165 +++++++++ pkg/lib/k8s/deployment.go | 28 +- pkg/lib/k8s/hpa.go | 27 +- pkg/lib/k8s/ingress.go | 27 +- pkg/lib/k8s/job.go | 41 ++- pkg/lib/k8s/k8s.go | 2 + pkg/lib/k8s/pod.go | 26 +- pkg/lib/k8s/service.go | 27 +- pkg/lib/spark/spark.go | 151 ++++++-- pkg/operator/api/context/context.go | 9 - pkg/operator/api/context/dependencies.go | 70 ++-- pkg/operator/api/userconfig/compute.go | 6 + pkg/operator/config/config.go | 4 - pkg/operator/context/context.go | 2 +- pkg/operator/endpoints/deploy.go | 58 +-- pkg/operator/endpoints/resources.go | 12 +- pkg/operator/endpoints/shared.go | 17 +- pkg/operator/operator.go | 88 +---- pkg/operator/workloads/api_saved_status.go | 2 +- pkg/operator/workloads/api_status.go | 39 +- .../workloads/{api.go => api_workload.go} | 286 +++++++++------ pkg/operator/workloads/consts.go | 29 -- pkg/operator/workloads/cron.go | 100 +++++ pkg/operator/workloads/current_contexts.go | 77 +++- pkg/operator/workloads/data_saved_status.go | 89 ++++- pkg/operator/workloads/errors.go | 18 - pkg/operator/workloads/latest_workload_id.go | 2 +- pkg/operator/workloads/log_prefix.go | 4 +- pkg/operator/workloads/logs.go | 35 +- pkg/operator/workloads/parsed_workflow.go | 143 -------- pkg/operator/workloads/python_package_job.go | 109 ------ .../workloads/python_package_workload.go | 124 +++++++ pkg/operator/workloads/saved_base_workload.go | 112 ++++++ .../workloads/saved_base_workload_cache.go | 73 ++++ pkg/operator/workloads/shared.go | 38 +- .../{data_job.go => spark_workload.go} | 275 +++++++------- .../{training_job.go => training_workload.go} | 118 +++--- pkg/operator/workloads/workflow.go | 341 +++++++++--------- pkg/operator/workloads/workload.go | 183 ++++++++++ pkg/operator/workloads/workload_spec.go | 176 --------- 55 files changed, 1967 insertions(+), 1863 deletions(-) delete mode 100644 images/argo-controller/Dockerfile delete mode 100644 images/argo-executor/Dockerfile delete mode 100644 manager/manifests/argo.yaml delete mode 100644 pkg/lib/argo/argo.go create mode 100644 pkg/lib/k8s/configmap.go rename pkg/operator/workloads/{api.go => api_workload.go} (73%) delete mode 100644 pkg/operator/workloads/consts.go create mode 100644 pkg/operator/workloads/cron.go delete mode 100644 pkg/operator/workloads/parsed_workflow.go delete mode 100644 pkg/operator/workloads/python_package_job.go create mode 100644 pkg/operator/workloads/python_package_workload.go create mode 100644 pkg/operator/workloads/saved_base_workload.go create mode 100644 pkg/operator/workloads/saved_base_workload_cache.go rename pkg/operator/workloads/{data_job.go => spark_workload.go} (55%) rename pkg/operator/workloads/{training_job.go => training_workload.go} (56%) create mode 100644 pkg/operator/workloads/workload.go delete mode 100644 pkg/operator/workloads/workload_spec.go diff --git a/Makefile b/Makefile index 057edcb928..aad42aa5d5 100644 --- a/Makefile +++ b/Makefile @@ -137,8 +137,6 @@ ci-build-images: @./build/build-image.sh images/fluentd fluentd @./build/build-image.sh images/nginx-controller nginx-controller @./build/build-image.sh images/nginx-backend nginx-backend - @./build/build-image.sh images/argo-controller argo-controller - @./build/build-image.sh images/argo-executor argo-executor @./build/build-image.sh images/python-packager python-packager @./build/build-image.sh images/cluster-autoscaler cluster-autoscaler @./build/build-image.sh images/nvidia nvidia @@ -158,8 +156,6 @@ ci-push-images: @./build/push-image.sh fluentd @./build/push-image.sh nginx-controller @./build/push-image.sh nginx-backend - @./build/push-image.sh argo-controller - @./build/push-image.sh argo-executor @./build/push-image.sh python-packager @./build/push-image.sh cluster-autoscaler @./build/push-image.sh nvidia diff --git a/cortex.sh b/cortex.sh index d682bb1102..9fb0052b63 100755 --- a/cortex.sh +++ b/cortex.sh @@ -117,8 +117,6 @@ export CORTEX_NODES_MAX="${CORTEX_NODES_MAX:-5}" export CORTEX_NAMESPACE="${CORTEX_NAMESPACE:-cortex}" export CORTEX_IMAGE_MANAGER="${CORTEX_IMAGE_MANAGER:-cortexlabs/manager:$CORTEX_VERSION_STABLE}" -export CORTEX_IMAGE_ARGO_CONTROLLER="${CORTEX_IMAGE_ARGO_CONTROLLER:-cortexlabs/argo-controller:$CORTEX_VERSION_STABLE}" -export CORTEX_IMAGE_ARGO_EXECUTOR="${CORTEX_IMAGE_ARGO_EXECUTOR:-cortexlabs/argo-executor:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_FLUENTD="${CORTEX_IMAGE_FLUENTD:-cortexlabs/fluentd:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_NGINX_BACKEND="${CORTEX_IMAGE_NGINX_BACKEND:-cortexlabs/nginx-backend:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_NGINX_CONTROLLER="${CORTEX_IMAGE_NGINX_CONTROLLER:-cortexlabs/nginx-controller:$CORTEX_VERSION_STABLE}" @@ -176,8 +174,6 @@ function install_cortex() { -e CORTEX_NODE_TYPE=$CORTEX_NODE_TYPE \ -e CORTEX_LOG_GROUP=$CORTEX_LOG_GROUP \ -e CORTEX_BUCKET=$CORTEX_BUCKET \ - -e CORTEX_IMAGE_ARGO_CONTROLLER=$CORTEX_IMAGE_ARGO_CONTROLLER \ - -e CORTEX_IMAGE_ARGO_EXECUTOR=$CORTEX_IMAGE_ARGO_EXECUTOR \ -e CORTEX_IMAGE_FLUENTD=$CORTEX_IMAGE_FLUENTD \ -e CORTEX_IMAGE_NGINX_BACKEND=$CORTEX_IMAGE_NGINX_BACKEND \ -e CORTEX_IMAGE_NGINX_CONTROLLER=$CORTEX_IMAGE_NGINX_CONTROLLER \ diff --git a/dev/registry.sh b/dev/registry.sh index b501e5844b..039adb86df 100755 --- a/dev/registry.sh +++ b/dev/registry.sh @@ -36,8 +36,6 @@ function ecr_login() { function create_registry() { aws ecr create-repository --repository-name=cortexlabs/manager --region=$REGISTRY_REGION || true - aws ecr create-repository --repository-name=cortexlabs/argo-controller --region=$REGISTRY_REGION || true - aws ecr create-repository --repository-name=cortexlabs/argo-executor --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/fluentd --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/nginx-backend --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/nginx-controller --region=$REGISTRY_REGION || true @@ -137,8 +135,6 @@ elif [ "$cmd" = "update" ]; then build_and_push $ROOT/images/nginx-controller nginx-controller latest build_and_push $ROOT/images/nginx-backend nginx-backend latest build_and_push $ROOT/images/fluentd fluentd latest - build_and_push $ROOT/images/argo-controller argo-controller latest - build_and_push $ROOT/images/argo-executor argo-executor latest build_and_push $ROOT/images/tf-serve tf-serve latest build_and_push $ROOT/images/tf-serve-gpu tf-serve-gpu latest build_and_push $ROOT/images/python-packager python-packager latest diff --git a/docs/cluster/config.md b/docs/cluster/config.md index 6dc5ac1358..df65209c52 100644 --- a/docs/cluster/config.md +++ b/docs/cluster/config.md @@ -40,8 +40,6 @@ export CORTEX_NAMESPACE="cortex" # Image paths export CORTEX_IMAGE_MANAGER="cortexlabs/manager:master" -export CORTEX_IMAGE_ARGO_CONTROLLER="cortexlabs/argo-controller:master" -export CORTEX_IMAGE_ARGO_EXECUTOR="cortexlabs/argo-executor:master" export CORTEX_IMAGE_FLUENTD="cortexlabs/fluentd:master" export CORTEX_IMAGE_NGINX_BACKEND="cortexlabs/nginx-backend:master" export CORTEX_IMAGE_NGINX_CONTROLLER="cortexlabs/nginx-controller:master" diff --git a/docs/cluster/development.md b/docs/cluster/development.md index e00f8105f1..00f0f96138 100644 --- a/docs/cluster/development.md +++ b/docs/cluster/development.md @@ -56,8 +56,6 @@ export CORTEX_NODES_MAX="5" export CORTEX_NAMESPACE="cortex" export CORTEX_IMAGE_MANAGER="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/manager:latest" -export CORTEX_IMAGE_ARGO_CONTROLLER="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/argo-controller:latest" -export CORTEX_IMAGE_ARGO_EXECUTOR="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/argo-executor:latest" export CORTEX_IMAGE_FLUENTD="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/fluentd:latest" export CORTEX_IMAGE_NGINX_BACKEND="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/nginx-backend:latest" export CORTEX_IMAGE_NGINX_CONTROLLER="XXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/cortexlabs/nginx-controller:latest" diff --git a/go.mod b/go.mod index eac3486535..902fd7445a 100644 --- a/go.mod +++ b/go.mod @@ -4,11 +4,10 @@ // go mod tidy // replace these lines in go.mod: // github.com/GoogleCloudPlatform/spark-on-k8s-operator v1alpha1-0.5-2.4.0 -// github.com/argoproj/argo v2.3.0 // github.com/cortexlabs/yaml v2.2.4 -// k8s.io/client-go v10.0.0 -// k8s.io/api 89a74a8d264df0e993299876a8cde88379b940ee -// k8s.io/apimachinery 2b1284ed4c93a43499e781493253e2ac5959c4fd +// k8s.io/client-go v12.0.0 +// k8s.io/api 7525909cc6da +// k8s.io/apimachinery 1799e75a0719 // (note: go to the commit for the client-go release and browse to Godeps/Godeps.json to find the SHAs for k8s.io/api and k8s.io/apimachinery) // go mod tidy // check the diff in this file @@ -19,39 +18,23 @@ go 1.12 require ( github.com/GoogleCloudPlatform/spark-on-k8s-operator v0.0.0-20181208011959-62db1d66dafa - github.com/argoproj/argo v2.3.0+incompatible - github.com/aws/aws-sdk-go v1.20.12 + github.com/aws/aws-sdk-go v1.20.20 github.com/cortexlabs/yaml v0.0.0-20190626164117-202ab3a3d475 github.com/davecgh/go-spew v1.1.1 - github.com/emicklei/go-restful v2.9.6+incompatible // indirect - github.com/ghodss/yaml v1.0.0 - github.com/go-openapi/spec v0.19.2 // indirect - github.com/gogo/protobuf v1.2.1 // indirect - github.com/google/btree v1.0.0 // indirect - github.com/google/gofuzz v1.0.0 // indirect - github.com/googleapis/gnostic v0.3.0 // indirect github.com/gorilla/mux v1.7.3 github.com/gorilla/websocket v1.4.0 - github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/imdario/mergo v0.3.7 // indirect - github.com/json-iterator/go v1.1.6 // indirect github.com/mitchellh/go-homedir v1.1.0 - github.com/modern-go/reflect2 v1.0.1 // indirect - github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.8.1 github.com/spf13/cobra v0.0.5 github.com/stretchr/testify v1.3.0 github.com/tcnksm/go-input v0.0.0-20180404061846-548a7d7a8ee8 - github.com/ugorji/go/codec v1.1.5-pre + github.com/ugorji/go/codec v1.1.7 github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 // indirect golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/robfig/cron.v2 v2.0.0-20150107220207-be2e0b0deed5 - k8s.io/api v0.0.0-20181204000039-89a74a8d264d - k8s.io/apimachinery v0.0.0-20181127025237-2b1284ed4c93 - k8s.io/client-go v10.0.0+incompatible - k8s.io/klog v0.3.0 // indirect - k8s.io/kube-openapi v0.0.0-20190603182131-db7b694dc208 // indirect - sigs.k8s.io/yaml v1.1.0 // indirect + k8s.io/api v0.0.0-20190620084959-7cf5895f2711 + k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719 + k8s.io/client-go v0.0.0-20190620085101-78d2af792bab + k8s.io/utils v0.0.0-20190712204705-3dccf664f023 // indirect ) diff --git a/go.sum b/go.sum index fb2c8abb42..36fb0e3dc2 100644 --- a/go.sum +++ b/go.sum @@ -1,193 +1,149 @@ cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/Azure/go-autorest v11.1.2+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/GoogleCloudPlatform/spark-on-k8s-operator v0.0.0-20181208011959-62db1d66dafa h1:+7sR1qfswfQkw01erHTK74SP1RLDwo8TSUh5C8AJgmo= github.com/GoogleCloudPlatform/spark-on-k8s-operator v0.0.0-20181208011959-62db1d66dafa/go.mod h1:6PnrZv6zUDkrNMw0mIoGRmGBR7i9LulhKPmxFq4rUiM= -github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= -github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/argoproj/argo v2.3.0+incompatible h1:L1OYZ86Q7NK19ahdl/eJOq78Mlf52wUKGmp7VDNQVz8= -github.com/argoproj/argo v2.3.0+incompatible/go.mod h1:KJ0MB+tuhtAklR4jkPM10mIZXfRA0peTYJ1sLUnFLVU= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= -github.com/aws/aws-sdk-go v1.20.12 h1:xV7xfLSkiqd7JOnLlfER+Jz8kI98rAGJvtXssYkCRs4= -github.com/aws/aws-sdk-go v1.20.12/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.20.20 h1:OAR/GtjMOhenkp1NNKr1N1FgIP3mQXHeGbRhvVIAQp0= +github.com/aws/aws-sdk-go v1.20.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/cortexlabs/yaml v0.0.0-20190626164117-202ab3a3d475 h1:N+pms5TCPH2F/DIX6a+2dgJI/CHweh45pEhGW/+stxQ= github.com/cortexlabs/yaml v0.0.0-20190626164117-202ab3a3d475/go.mod h1:nuzR4zMPuiBWg1HyZo9bzSZmtdSVjKfn8+RyO7egs0c= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= -github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.9.6+incompatible h1:tfrHha8zJ01ywiOEC1miGY8st1/igzWB8OmvPgoYX7w= -github.com/emicklei/go-restful v2.9.6+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= -github.com/go-openapi/jsonpointer v0.19.2 h1:A9+F4Dc/MCNB5jibxf6rRvOvR/iFgQdyNx9eIhnGqq0= -github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= -github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= -github.com/go-openapi/jsonreference v0.19.2 h1:o20suLFB4Ri0tuzpWtyHlh7E7HnkqTNLq6aR6WVNS1w= -github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= -github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= -github.com/go-openapi/spec v0.19.2 h1:SStNd1jRcYtfKCN7R0laGNs80WYYvn5CbBjM2sOmCrE= -github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= -github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= -github.com/go-openapi/swag v0.19.2 h1:jvO6bCMBEilGwMfHhrd61zIID4oIFdwb76V17SM88dE= -github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= -github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415 h1:WSBJMqJbLxsn+bTCPyPYZfqHdJmc8MK4wrBjMft6BAM= +github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo= -github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= -github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/googleapis/gnostic v0.0.0-20170426233943-68f4ded48ba9/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= -github.com/googleapis/gnostic v0.3.0 h1:CcQijm0XKekKjP/YCz28LXVSpgguuB+nCxaSjCe09y0= -github.com/googleapis/gnostic v0.3.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck= +github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d h1:7XGaL1e6bYS1yIonGp9761ExpPPV1ui0SAC59Yube9k= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/gophercloud/gophercloud v0.0.0-20190126172459-c818fa66e4c8/go.mod h1:3WdhXV3rUYy9p6AUW8d94kr+HS62Y4VL9mBnFxsD8q4= github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/websocket v1.4.0 h1:WDFjx/TMzVgy9VdMMQi2K2Emtwi2QcUQsztZ/zLaH/Q= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= -github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= -github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE= +github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63 h1:nTT4s92Dgz2HlrB2NaMgvlfqHH39OgMhA7z3PK7PGD4= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= -github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s= github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= -github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= -github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/tcnksm/go-input v0.0.0-20180404061846-548a7d7a8ee8 h1:RB0v+/pc8oMzPsN97aZYEwNuJ6ouRJ2uhjxemJ9zvrY= github.com/tcnksm/go-input v0.0.0-20180404061846-548a7d7a8ee8/go.mod h1:IlWNj9v/13q7xFbaK4mbyzMNwrZLaWSHx/aibKIZuIg= -github.com/ugorji/go v1.1.5-pre h1:jyJKFOSEbdOc2HODrf2qcCkYOdq7zzXqA9bhW5oV4fM= -github.com/ugorji/go v1.1.5-pre/go.mod h1:FwP/aQVg39TXzItUBMwnWp9T9gPQnXw4Poh4/oBQZ/0= +github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo= +github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= -github.com/ugorji/go/codec v1.1.5-pre h1:5YV9PsFAN+ndcCtTM7s60no7nY7eTG3LPtxhSwuxzCs= -github.com/ugorji/go/codec v1.1.5-pre/go.mod h1:tULtS6Gy1AE1yCENaw4Vb//HLH5njI2tfCQDUqRd8fI= +github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs= +github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY= github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca h1:1CFlNzQhALwjS9mBAUkycX616GzgsuYUOCHA5+HSlXI= github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190613194153-d28f0bde5980 h1:dfGZHvZk057jK2MCeWus/TowKpJ8y4AmooUzdBSR9GU= -golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 h1:bfLnR+k0tq5Lqt6dflRLcZiz6UaXCMt3vhYJ1l4FQ80= +golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f h1:25KHgbfyiSm6vwQLbM3zZIe1v9p/3ea4Rz+nnM5K/i4= -golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/sys v0.0.0-20190312061237-fead79001313 h1:pczuHS43Cp2ktBEEmLwScxgjWsBSzdaQiKzUyf3DTTc= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU= +golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/time v0.0.0-20161028155119-f51c12702a4d/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/robfig/cron.v2 v2.0.0-20150107220207-be2e0b0deed5 h1:E846t8CnR+lv5nE+VuiKTDG/v1U2stad0QzddfJC7kY= -gopkg.in/robfig/cron.v2 v2.0.0-20150107220207-be2e0b0deed5/go.mod h1:hiOFpYm0ZJbusNj2ywpbrXowU3G8U6GIQzqn2mw1UIE= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o= +gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -k8s.io/api v0.0.0-20181204000039-89a74a8d264d h1:HQoGWsWUe/FmRcX9BU440AAMnzBFEf+DBo4nbkQlNzs= -k8s.io/api v0.0.0-20181204000039-89a74a8d264d/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA= -k8s.io/apimachinery v0.0.0-20181127025237-2b1284ed4c93 h1:tT6oQBi0qwLbbZSfDkdIsb23EwaLY85hoAV4SpXfdao= -k8s.io/apimachinery v0.0.0-20181127025237-2b1284ed4c93/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0= -k8s.io/client-go v10.0.0+incompatible h1:F1IqCqw7oMBzDkqlcBymRq1450wD0eNqLE9jzUrIi34= -k8s.io/client-go v10.0.0+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= -k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/klog v0.3.0 h1:0VPpR+sizsiivjIfIAQH/rl8tan6jvWkS7lU+0di3lE= +k8s.io/api v0.0.0-20190620084959-7cf5895f2711 h1:BblVYz/wE5WtBsD/Gvu54KyBUTJMflolzc5I2DTvh50= +k8s.io/api v0.0.0-20190620084959-7cf5895f2711/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A= +k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719 h1:uV4S5IB5g4Nvi+TBVNf3e9L4wrirlwYJ6w88jUQxTUw= +k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA= +k8s.io/client-go v0.0.0-20190620085101-78d2af792bab h1:E8Fecph0qbNsAbijJJQryKu4Oi9QTp5cVpjTE+nqg6g= +k8s.io/client-go v0.0.0-20190620085101-78d2af792bab/go.mod h1:E95RaSlHr79aHaX0aGSwcPNfygDiPKOVXdmivCIZT0k= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= -k8s.io/kube-openapi v0.0.0-20190603182131-db7b694dc208 h1:5sW+fEHvlJI3Ngolx30CmubFulwH28DhKjGf70Xmtco= -k8s.io/kube-openapi v0.0.0-20190603182131-db7b694dc208/go.mod h1:nfDlWeOsu3pUf4yWGL+ERqohP4YsZcBJXWMK+gkzOA4= -sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +k8s.io/klog v0.3.1 h1:RVgyDHY/kFKtLqh67NvEWIgkMneNoIrdkN0CxDSQc68= +k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc= +k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0= +k8s.io/utils v0.0.0-20190712204705-3dccf664f023 h1:1H4Jyzb0z2X0GfBMTwRjnt5ejffRHrGftUgJcV/ZfDc= +k8s.io/utils v0.0.0-20190712204705-3dccf664f023/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/images/argo-controller/Dockerfile b/images/argo-controller/Dockerfile deleted file mode 100644 index c9a245331e..0000000000 --- a/images/argo-controller/Dockerfile +++ /dev/null @@ -1 +0,0 @@ -FROM argoproj/workflow-controller:v2.3.0 diff --git a/images/argo-executor/Dockerfile b/images/argo-executor/Dockerfile deleted file mode 100644 index a0fe2c43bc..0000000000 --- a/images/argo-executor/Dockerfile +++ /dev/null @@ -1 +0,0 @@ -FROM argoproj/argoexec:v2.3.0 diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 4397d898d9..07d2369190 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -170,7 +170,6 @@ setup_configmap setup_secrets envsubst < manifests/spark.yaml | kubectl apply -f - >/dev/null -envsubst < manifests/argo.yaml | kubectl apply -f - >/dev/null envsubst < manifests/nginx.yaml | kubectl apply -f - >/dev/null envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/argo.yaml b/manager/manifests/argo.yaml deleted file mode 100644 index b4f6271583..0000000000 --- a/manager/manifests/argo.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright 2019 Cortex Labs, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argo-executor - namespace: $CORTEX_NAMESPACE ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argo-executor - namespace: $CORTEX_NAMESPACE -subjects: -- kind: ServiceAccount - name: argo-executor - namespace: $CORTEX_NAMESPACE -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: workflows.argoproj.io - namespace: $CORTEX_NAMESPACE -spec: - group: argoproj.io - names: - kind: Workflow - plural: workflows - shortNames: - - wf - scope: Namespaced - version: v1alpha1 ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argo-controller - namespace: $CORTEX_NAMESPACE ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argo-controller - namespace: $CORTEX_NAMESPACE -rules: -- apiGroups: [""] - resources: [pods, pods/exec] - verbs: [create, get, list, watch, update, patch, delete] -- apiGroups: [""] - resources: [configmaps] - verbs: [get, watch, list] -- apiGroups: [""] - resources: [persistentvolumeclaims] - verbs: [create, delete] -- apiGroups: [argoproj.io] - resources: [workflows, workflows/finalizers] - verbs: [get, list, watch, update, patch, delete] ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argo - namespace: $CORTEX_NAMESPACE -subjects: -- kind: ServiceAccount - name: argo-controller - namespace: $CORTEX_NAMESPACE -roleRef: - kind: Role - name: argo-controller - apiGroup: rbac.authorization.k8s.io ---- - -apiVersion: v1 -kind: ConfigMap -metadata: - name: argo-controller - namespace: $CORTEX_NAMESPACE -data: - config: | - namespace: $CORTEX_NAMESPACE ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argo-controller - namespace: $CORTEX_NAMESPACE -spec: - selector: - matchLabels: - app: argo-controller - template: - metadata: - labels: - app: argo-controller - spec: - containers: - - args: - - --configmap - - argo-controller - - --executor-image - - $CORTEX_IMAGE_ARGO_EXECUTOR - - --executor-image-pull-policy - - Always - command: - - workflow-controller - image: $CORTEX_IMAGE_ARGO_CONTROLLER - imagePullPolicy: Always - name: argo-controller - serviceAccountName: argo-controller diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 16669dd2b1..70e4b63a19 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -45,11 +45,11 @@ spec: replicas: 1 selector: matchLabels: - workloadId: operator + workloadID: operator template: metadata: labels: - workloadId: operator + workloadID: operator workloadType: operator spec: containers: @@ -86,7 +86,7 @@ metadata: workloadType: operator spec: selector: - workloadId: operator + workloadID: operator ports: - port: 8888 targetPort: 8888 diff --git a/manager/uninstall_cortex.sh b/manager/uninstall_cortex.sh index 720cb22ff0..cac7c0687b 100755 --- a/manager/uninstall_cortex.sh +++ b/manager/uninstall_cortex.sh @@ -30,7 +30,6 @@ fi kubectl delete --ignore-not-found=true customresourcedefinition scheduledsparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 kubectl delete --ignore-not-found=true customresourcedefinition sparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 -kubectl delete --ignore-not-found=true customresourcedefinition workflows.argoproj.io >/dev/null 2>&1 kubectl delete --ignore-not-found=true namespace $CORTEX_NAMESPACE >/dev/null 2>&1 echo "✓ Uninstalled Cortex" diff --git a/pkg/lib/argo/argo.go b/pkg/lib/argo/argo.go deleted file mode 100644 index 5f53d8911a..0000000000 --- a/pkg/lib/argo/argo.go +++ /dev/null @@ -1,319 +0,0 @@ -/* -Copyright 2019 Cortex Labs, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package argo - -import ( - "strings" - "time" - - argowf "github.com/argoproj/argo/pkg/apis/workflow/v1alpha1" - argoclientset "github.com/argoproj/argo/pkg/client/clientset/versioned" - argoclientapi "github.com/argoproj/argo/pkg/client/clientset/versioned/typed/workflow/v1alpha1" - kerrors "k8s.io/apimachinery/pkg/api/errors" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - kclientrest "k8s.io/client-go/rest" - - "github.com/cortexlabs/cortex/pkg/lib/errors" - "github.com/cortexlabs/cortex/pkg/lib/k8s" - "github.com/cortexlabs/cortex/pkg/lib/maps" - "github.com/cortexlabs/cortex/pkg/lib/pointer" - "github.com/cortexlabs/cortex/pkg/lib/sets/strset" - "github.com/cortexlabs/cortex/pkg/lib/slices" -) - -var ( - doneStates = []string{ - string(argowf.NodeSucceeded), - string(argowf.NodeSkipped), - string(argowf.NodeFailed), - string(argowf.NodeError), - } - runningStates = []string{ - string(argowf.NodeRunning), - } -) - -type Client struct { - workflowClient argoclientapi.WorkflowInterface - namespace string -} - -func New(restConfig *kclientrest.Config, namespace string) *Client { - client := &Client{ - namespace: namespace, - } - wfcs := argoclientset.NewForConfigOrDie(restConfig) - client.workflowClient = wfcs.ArgoprojV1alpha1().Workflows(namespace) - return client -} - -type WorkflowTask struct { - Name string - Action string - Manifest string - SuccessCondition string - FailureCondition string - Dependencies []string - Labels map[string]string -} - -func (c *Client) NewWorkflow(name string, labels ...map[string]string) *argowf.Workflow { - name = "argo-" + name - if !strings.HasSuffix(name, "-") && !strings.HasSuffix(name, "_") { - name = name + "-" - } - allLabels := maps.MergeStrMaps(labels...) - - return &argowf.Workflow{ - ObjectMeta: kmeta.ObjectMeta{ - GenerateName: name, - Namespace: c.namespace, - Labels: allLabels, - }, - Spec: argowf.WorkflowSpec{ - ServiceAccountName: "argo-executor", - Entrypoint: "DAG", - Templates: []argowf.Template{ - { - Name: "DAG", - DAG: &argowf.DAGTemplate{ - Tasks: []argowf.DAGTask{}, - }, - }, - }, - }, - } -} - -func AddTask(wf *argowf.Workflow, task *WorkflowTask) *argowf.Workflow { - if task == nil { - return wf - } - - DAGTask := argowf.DAGTask{ - Name: task.Name, - Template: task.Name, - Dependencies: slices.RemoveEmptiesAndUnique(task.Dependencies), - } - - // All tasks are added to the DAG template which is first - wf.Spec.Templates[0].DAG.Tasks = append(wf.Spec.Templates[0].DAG.Tasks, DAGTask) - - labels := task.Labels - labels["argo"] = "true" - - template := argowf.Template{ - Name: task.Name, - Resource: &argowf.ResourceTemplate{ - Action: task.Action, - Manifest: task.Manifest, - SuccessCondition: task.SuccessCondition, - FailureCondition: task.FailureCondition, - }, - Metadata: argowf.Metadata{ - Labels: labels, - }, - } - - wf.Spec.Templates = append(wf.Spec.Templates, template) - - return wf -} - -func EnableGC(spec kmeta.Object) { - ownerReferences := spec.GetOwnerReferences() - ownerReferences = append(ownerReferences, kmeta.OwnerReference{ - APIVersion: "argoproj.io/v1alpha1", - Kind: "Workflow", - Name: "{{workflow.name}}", - UID: "{{workflow.uid}}", - BlockOwnerDeletion: pointer.Bool(false), - }) - spec.SetOwnerReferences(ownerReferences) -} - -func NumTasks(wf *argowf.Workflow) int { - if wf == nil || len(wf.Spec.Templates) == 0 { - return 0 - } - return len(wf.Spec.Templates[0].DAG.Tasks) -} - -func (c *Client) Run(wf *argowf.Workflow) error { - _, err := c.workflowClient.Create(wf) - if err != nil { - return errors.WithStack(err) - } - return nil -} - -func (c *Client) List(opts *kmeta.ListOptions) ([]argowf.Workflow, error) { - if opts == nil { - opts = &kmeta.ListOptions{} - } - wfList, err := c.workflowClient.List(*opts) - if err != nil { - return nil, errors.WithStack(err) - } - return wfList.Items, nil -} - -func (c *Client) ListByLabels(labels map[string]string) ([]argowf.Workflow, error) { - opts := &kmeta.ListOptions{ - LabelSelector: k8s.LabelSelector(labels), - } - return c.List(opts) -} - -func (c *Client) ListByLabel(labelKey string, labelValue string) ([]argowf.Workflow, error) { - return c.ListByLabels(map[string]string{labelKey: labelValue}) -} - -func (c *Client) ListRunning(labels ...map[string]string) ([]argowf.Workflow, error) { - wfs, err := c.ListByLabels(maps.MergeStrMaps(labels...)) - if err != nil { - return wfs, err - } - runningWfs := []argowf.Workflow{} - for _, wf := range wfs { - if IsRunning(&wf) { - runningWfs = append(runningWfs, wf) - } - } - return runningWfs, nil -} - -func (c *Client) ListDone(labels ...map[string]string) ([]argowf.Workflow, error) { - wfs, err := c.ListByLabels(maps.MergeStrMaps(labels...)) - if err != nil { - return wfs, err - } - doneWfs := []argowf.Workflow{} - for _, wf := range wfs { - if IsDone(&wf) { - doneWfs = append(doneWfs, wf) - } - } - return doneWfs, nil -} - -func (c *Client) Delete(wfName string) (bool, error) { - err := c.workflowClient.Delete(wfName, &kmeta.DeleteOptions{}) - if kerrors.IsNotFound(err) { - return false, nil - } else if err != nil { - return false, errors.WithStack(err) - } - return true, nil -} - -func (c *Client) DeleteMultiple(wfs []argowf.Workflow) error { - errs := []error{} - for _, wf := range wfs { - _, err := c.Delete(wf.Name) - errs = append(errs, err) - } - return errors.FirstError(errs...) -} - -func IsDone(wf *argowf.Workflow) bool { - if wf == nil { - return true - } - return slices.HasString(doneStates, string(wf.Status.Phase)) -} - -func IsRunning(wf *argowf.Workflow) bool { - if wf == nil { - return false - } - return slices.HasString(runningStates, string(wf.Status.Phase)) -} - -type WorkflowItem struct { - Task *argowf.DAGTask - Template *argowf.Template - NodeStatus *argowf.NodeStatus - Labels map[string]string -} - -// ParseWorkflow returns task name -> *WorkflowItem -func ParseWorkflow(wf *argowf.Workflow) map[string]*WorkflowItem { - if wf == nil { - return nil - } - pWf := make(map[string]*WorkflowItem) - for _, task := range wf.Spec.Templates[0].DAG.Tasks { - initTask(task, pWf) - } - for i, template := range wf.Spec.Templates { - if i != 0 { - addTemplate(template, pWf) - } - } - for _, nodeStatus := range wf.Status.Nodes { - addNodeStatus(nodeStatus, pWf) - } - return pWf -} - -func initTask(task argowf.DAGTask, pWf map[string]*WorkflowItem) { - pWf[task.Name] = &WorkflowItem{ - Task: &task, - } -} - -func addTemplate(template argowf.Template, pWf map[string]*WorkflowItem) { - pWf[template.Name].Template = &template - pWf[template.Name].Labels = template.Metadata.Labels -} - -func addNodeStatus(nodeStatus argowf.NodeStatus, pWf map[string]*WorkflowItem) { - if nodeStatus.Type != argowf.NodeTypePod { - return - } - pWf[nodeStatus.TemplateName].NodeStatus = &nodeStatus -} - -func (wfItem *WorkflowItem) StartedAt() *time.Time { - if wfItem.NodeStatus != nil && !wfItem.NodeStatus.StartedAt.Time.IsZero() { - return &wfItem.NodeStatus.StartedAt.Time - } - return nil -} - -func (wfItem *WorkflowItem) FinishedAt() *time.Time { - if wfItem.NodeStatus != nil && !wfItem.NodeStatus.FinishedAt.Time.IsZero() { - return &wfItem.NodeStatus.FinishedAt.Time - } - return nil -} - -func (wfItem *WorkflowItem) Phase() *argowf.NodePhase { - if wfItem.NodeStatus != nil { - return &wfItem.NodeStatus.Phase - } - return nil -} - -func (wfItem *WorkflowItem) Dependencies() strset.Set { - if wfItem.Task != nil && wfItem.Task.Dependencies != nil { - return strset.New(wfItem.Task.Dependencies...) - } - - return strset.New() -} diff --git a/pkg/lib/debug/debug.go b/pkg/lib/debug/debug.go index a1c860d46b..f5a939ea3a 100644 --- a/pkg/lib/debug/debug.go +++ b/pkg/lib/debug/debug.go @@ -20,6 +20,7 @@ import ( "encoding/json" "fmt" + "github.com/cortexlabs/yaml" "github.com/davecgh/go-spew/spew" "github.com/cortexlabs/cortex/pkg/lib/errors" @@ -51,3 +52,11 @@ func Ppj(obj interface{}) { } fmt.Println(string(b)) } + +func Ppy(obj interface{}) { + b, err := yaml.Marshal(obj) + if err != nil { + errors.PrintError(err) + } + fmt.Println(string(b)) +} diff --git a/pkg/lib/k8s/configmap.go b/pkg/lib/k8s/configmap.go new file mode 100644 index 0000000000..4f9c6fa236 --- /dev/null +++ b/pkg/lib/k8s/configmap.go @@ -0,0 +1,165 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package k8s + +import ( + kcore "k8s.io/api/core/v1" + kerrors "k8s.io/apimachinery/pkg/api/errors" + kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/cortexlabs/cortex/pkg/lib/errors" +) + +var configMapTypeMeta = kmeta.TypeMeta{ + APIVersion: "v1", + Kind: "ConfigMap", +} + +type ConfigMapSpec struct { + Name string + Namespace string + Data map[string]string + Labels map[string]string +} + +func ConfigMap(spec *ConfigMapSpec) *kcore.ConfigMap { + if spec.Namespace == "" { + spec.Namespace = "default" + } + configMap := &kcore.ConfigMap{ + TypeMeta: configMapTypeMeta, + ObjectMeta: kmeta.ObjectMeta{ + Name: spec.Name, + Namespace: spec.Namespace, + Labels: spec.Labels, + }, + Data: spec.Data, + } + return configMap +} + +func (c *Client) CreateConfigMap(configMap *kcore.ConfigMap) (*kcore.ConfigMap, error) { + configMap.TypeMeta = configMapTypeMeta + configMap, err := c.configMapClient.Create(configMap) + if err != nil { + return nil, errors.WithStack(err) + } + return configMap, nil +} + +func (c *Client) UpdateConfigMap(configMap *kcore.ConfigMap) (*kcore.ConfigMap, error) { + configMap.TypeMeta = configMapTypeMeta + + // This didn't support deleting keys from configMap.Data + // objBytes, err := json.Marshal(configMap) + // if err != nil { + // return nil, err + // } + // configMap, err = c.configMapClient.Patch(configMap.Name, ktypes.MergePatchType, objBytes) + + configMap, err := c.configMapClient.Update(configMap) + if err != nil { + return nil, errors.WithStack(err) + } + return configMap, nil +} + +func (c *Client) ApplyConfigMap(configMap *kcore.ConfigMap) (*kcore.ConfigMap, error) { + existing, err := c.GetConfigMap(configMap.Name) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateConfigMap(configMap) + } + return c.UpdateConfigMap(configMap) +} + +func (c *Client) GetConfigMap(name string) (*kcore.ConfigMap, error) { + configMap, err := c.configMapClient.Get(name, kmeta.GetOptions{}) + if kerrors.IsNotFound(err) { + return nil, nil + } + if err != nil { + return nil, errors.WithStack(err) + } + configMap.TypeMeta = configMapTypeMeta + return configMap, nil +} + +func (c *Client) GetConfigMapData(name string) (map[string]string, error) { + configMap, err := c.GetConfigMap(name) + if err != nil { + return nil, err + } + if configMap == nil { + return nil, nil + } + return configMap.Data, nil +} + +func (c *Client) DeleteConfigMap(name string) (bool, error) { + err := c.configMapClient.Delete(name, deleteOpts) + if kerrors.IsNotFound(err) { + return false, nil + } + if err != nil { + return false, errors.WithStack(err) + } + return true, nil +} + +func (c *Client) ConfigMapExists(name string) (bool, error) { + configMap, err := c.GetConfigMap(name) + if err != nil { + return false, err + } + return configMap != nil, nil +} + +func (c *Client) ListConfigMaps(opts *kmeta.ListOptions) ([]kcore.ConfigMap, error) { + if opts == nil { + opts = &kmeta.ListOptions{} + } + configMapList, err := c.configMapClient.List(*opts) + if err != nil { + return nil, errors.WithStack(err) + } + for i := range configMapList.Items { + configMapList.Items[i].TypeMeta = configMapTypeMeta + } + return configMapList.Items, nil +} + +func (c *Client) ListConfigMapsByLabels(labels map[string]string) ([]kcore.ConfigMap, error) { + opts := &kmeta.ListOptions{ + LabelSelector: LabelSelector(labels), + } + return c.ListConfigMaps(opts) +} + +func (c *Client) ListConfigMapsByLabel(labelKey string, labelValue string) ([]kcore.ConfigMap, error) { + return c.ListConfigMapsByLabels(map[string]string{labelKey: labelValue}) +} + +func ConfigMapMap(configMaps []kcore.ConfigMap) map[string]kcore.ConfigMap { + configMapMap := map[string]kcore.ConfigMap{} + for _, configMap := range configMaps { + configMapMap[configMap.Name] = configMap + } + return configMapMap +} diff --git a/pkg/lib/k8s/deployment.go b/pkg/lib/k8s/deployment.go index aafa0a0b1f..d0376e6d0a 100644 --- a/pkg/lib/k8s/deployment.go +++ b/pkg/lib/k8s/deployment.go @@ -17,12 +17,14 @@ limitations under the License. package k8s import ( + "encoding/json" "time" kapps "k8s.io/api/apps/v1" kcore "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + ktypes "k8s.io/apimachinery/pkg/types" "github.com/cortexlabs/cortex/pkg/lib/errors" ) @@ -32,8 +34,6 @@ var deploymentTypeMeta = kmeta.TypeMeta{ Kind: "Deployment", } -const DeploymentSuccessConditionAll = "!status.unavailableReplicas" - type DeploymentSpec struct { Name string Namespace string @@ -82,8 +82,9 @@ func Deployment(spec *DeploymentSpec) *kapps.Deployment { return deployment } -func (c *Client) CreateDeployment(spec *DeploymentSpec) (*kapps.Deployment, error) { - deployment, err := c.deploymentClient.Create(Deployment(spec)) +func (c *Client) CreateDeployment(deployment *kapps.Deployment) (*kapps.Deployment, error) { + deployment.TypeMeta = deploymentTypeMeta + deployment, err := c.deploymentClient.Create(deployment) if err != nil { return nil, errors.WithStack(err) } @@ -91,13 +92,30 @@ func (c *Client) CreateDeployment(spec *DeploymentSpec) (*kapps.Deployment, erro } func (c *Client) UpdateDeployment(deployment *kapps.Deployment) (*kapps.Deployment, error) { - deployment, err := c.deploymentClient.Update(deployment) + deployment.TypeMeta = deploymentTypeMeta + objBytes, err := json.Marshal(deployment) + if err != nil { + return nil, err + } + + deployment, err = c.deploymentClient.Patch(deployment.Name, ktypes.MergePatchType, objBytes) if err != nil { return nil, errors.WithStack(err) } return deployment, nil } +func (c *Client) ApplyDeployment(deployment *kapps.Deployment) (*kapps.Deployment, error) { + existing, err := c.GetDeployment(deployment.Name) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateDeployment(deployment) + } + return c.UpdateDeployment(deployment) +} + func (c *Client) GetDeployment(name string) (*kapps.Deployment, error) { deployment, err := c.deploymentClient.Get(name, kmeta.GetOptions{}) if kerrors.IsNotFound(err) { diff --git a/pkg/lib/k8s/hpa.go b/pkg/lib/k8s/hpa.go index 134170e1ac..b57d936051 100644 --- a/pkg/lib/k8s/hpa.go +++ b/pkg/lib/k8s/hpa.go @@ -17,9 +17,12 @@ limitations under the License. package k8s import ( + "encoding/json" + kautoscaling "k8s.io/api/autoscaling/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + ktypes "k8s.io/apimachinery/pkg/types" "github.com/cortexlabs/cortex/pkg/lib/errors" ) @@ -63,8 +66,9 @@ func HPA(spec *HPASpec) *kautoscaling.HorizontalPodAutoscaler { return hpa } -func (c *Client) CreateHPA(spec *HPASpec) (*kautoscaling.HorizontalPodAutoscaler, error) { - hpa, err := c.hpaClient.Create(HPA(spec)) +func (c *Client) CreateHPA(hpa *kautoscaling.HorizontalPodAutoscaler) (*kautoscaling.HorizontalPodAutoscaler, error) { + hpa.TypeMeta = hpaTypeMeta + hpa, err := c.hpaClient.Create(hpa) if err != nil { return nil, errors.WithStack(err) } @@ -72,13 +76,30 @@ func (c *Client) CreateHPA(spec *HPASpec) (*kautoscaling.HorizontalPodAutoscaler } func (c *Client) UpdateHPA(hpa *kautoscaling.HorizontalPodAutoscaler) (*kautoscaling.HorizontalPodAutoscaler, error) { - hpa, err := c.hpaClient.Update(hpa) + hpa.TypeMeta = hpaTypeMeta + objBytes, err := json.Marshal(hpa) + if err != nil { + return nil, err + } + + hpa, err = c.hpaClient.Patch(hpa.Name, ktypes.MergePatchType, objBytes) if err != nil { return nil, errors.WithStack(err) } return hpa, nil } +func (c *Client) ApplyHPA(hpa *kautoscaling.HorizontalPodAutoscaler) (*kautoscaling.HorizontalPodAutoscaler, error) { + existing, err := c.GetHPA(hpa.Name) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateHPA(hpa) + } + return c.UpdateHPA(hpa) +} + func (c *Client) GetHPA(name string) (*kautoscaling.HorizontalPodAutoscaler, error) { hpa, err := c.hpaClient.Get(name, kmeta.GetOptions{}) if kerrors.IsNotFound(err) { diff --git a/pkg/lib/k8s/ingress.go b/pkg/lib/k8s/ingress.go index fc29a815b9..56acdaefff 100644 --- a/pkg/lib/k8s/ingress.go +++ b/pkg/lib/k8s/ingress.go @@ -17,9 +17,12 @@ limitations under the License. package k8s import ( + "encoding/json" + kextensions "k8s.io/api/extensions/v1beta1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + ktypes "k8s.io/apimachinery/pkg/types" intstr "k8s.io/apimachinery/pkg/util/intstr" "github.com/cortexlabs/cortex/pkg/lib/errors" @@ -80,8 +83,9 @@ func Ingress(spec *IngressSpec) *kextensions.Ingress { return ingress } -func (c *Client) CreateIngress(spec *IngressSpec) (*kextensions.Ingress, error) { - ingress, err := c.ingressClient.Create(Ingress(spec)) +func (c *Client) CreateIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { + ingress.TypeMeta = ingressTypeMeta + ingress, err := c.ingressClient.Create(ingress) if err != nil { return nil, errors.WithStack(err) } @@ -89,13 +93,30 @@ func (c *Client) CreateIngress(spec *IngressSpec) (*kextensions.Ingress, error) } func (c *Client) UpdateIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { - ingress, err := c.ingressClient.Update(ingress) + ingress.TypeMeta = ingressTypeMeta + objBytes, err := json.Marshal(ingress) + if err != nil { + return nil, err + } + + ingress, err = c.ingressClient.Patch(ingress.Name, ktypes.MergePatchType, objBytes) if err != nil { return nil, errors.WithStack(err) } return ingress, nil } +func (c *Client) ApplyIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { + existing, err := c.GetIngress(ingress.Name) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateIngress(ingress) + } + return c.UpdateIngress(ingress) +} + func (c *Client) GetIngress(name string) (*kextensions.Ingress, error) { ingress, err := c.ingressClient.Get(name, kmeta.GetOptions{}) if kerrors.IsNotFound(err) { diff --git a/pkg/lib/k8s/job.go b/pkg/lib/k8s/job.go index 0745f684d5..d2fc56deaa 100644 --- a/pkg/lib/k8s/job.go +++ b/pkg/lib/k8s/job.go @@ -17,17 +17,17 @@ limitations under the License. package k8s import ( + "encoding/json" + kbatch "k8s.io/api/batch/v1" kcore "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + ktypes "k8s.io/apimachinery/pkg/types" "github.com/cortexlabs/cortex/pkg/lib/errors" ) -const JobSuccessCondition = "status.succeeded > 0" -const JobFailureCondition = "status.failed > 0" - var jobTypeMeta = kmeta.TypeMeta{ APIVersion: "batch/v1", Kind: "Job", @@ -79,8 +79,9 @@ func Job(spec *JobSpec) *kbatch.Job { return job } -func (c *Client) CreateJob(spec *JobSpec) (*kbatch.Job, error) { - job, err := c.jobClient.Create(Job(spec)) +func (c *Client) CreateJob(job *kbatch.Job) (*kbatch.Job, error) { + job.TypeMeta = jobTypeMeta + job, err := c.jobClient.Create(job) if err != nil { return nil, errors.WithStack(err) } @@ -88,13 +89,30 @@ func (c *Client) CreateJob(spec *JobSpec) (*kbatch.Job, error) { } func (c *Client) UpdateJob(job *kbatch.Job) (*kbatch.Job, error) { - job, err := c.jobClient.Update(job) + job.TypeMeta = jobTypeMeta + objBytes, err := json.Marshal(job) + if err != nil { + return nil, err + } + + job, err = c.jobClient.Patch(job.Name, ktypes.MergePatchType, objBytes) if err != nil { return nil, errors.WithStack(err) } return job, nil } +func (c *Client) ApplyJob(job *kbatch.Job) (*kbatch.Job, error) { + existing, err := c.GetJob(job.Name) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateJob(job) + } + return c.UpdateJob(job) +} + func (c *Client) GetJob(name string) (*kbatch.Job, error) { job, err := c.jobClient.Get(name, kmeta.GetOptions{}) if kerrors.IsNotFound(err) { @@ -158,3 +176,14 @@ func JobMap(jobs []kbatch.Job) map[string]kbatch.Job { } return jobMap } + +func (c *Client) IsJobRunning(name string) (bool, error) { + job, err := c.GetJob(name) + if err != nil { + return false, err + } + if job == nil { + return false, nil + } + return job.Status.CompletionTime == nil, nil +} diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index a1e202ab7d..4e9758c1da 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -50,6 +50,7 @@ type Client struct { clientset *kclientset.Clientset podClient kclientcore.PodInterface serviceClient kclientcore.ServiceInterface + configMapClient kclientcore.ConfigMapInterface deploymentClient kclientapps.DeploymentInterface jobClient kclientbatch.JobInterface ingressClient kclientextensions.IngressInterface @@ -80,6 +81,7 @@ func New(namespace string, inCluster bool) (*Client, error) { client.podClient = client.clientset.CoreV1().Pods(namespace) client.serviceClient = client.clientset.CoreV1().Services(namespace) + client.configMapClient = client.clientset.CoreV1().ConfigMaps(namespace) client.deploymentClient = client.clientset.AppsV1().Deployments(namespace) client.jobClient = client.clientset.BatchV1().Jobs(namespace) client.ingressClient = client.clientset.ExtensionsV1beta1().Ingresses(namespace) diff --git a/pkg/lib/k8s/pod.go b/pkg/lib/k8s/pod.go index 5f258abe7c..d4d8a84e6e 100644 --- a/pkg/lib/k8s/pod.go +++ b/pkg/lib/k8s/pod.go @@ -17,11 +17,13 @@ limitations under the License. package k8s import ( + "encoding/json" "time" kcore "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + ktypes "k8s.io/apimachinery/pkg/types" "github.com/cortexlabs/cortex/pkg/lib/errors" libtime "github.com/cortexlabs/cortex/pkg/lib/time" @@ -75,8 +77,9 @@ func Pod(spec *PodSpec) *kcore.Pod { return pod } -func (c *Client) CreatePod(spec *PodSpec) (*kcore.Pod, error) { - pod, err := c.podClient.Create(Pod(spec)) +func (c *Client) CreatePod(pod *kcore.Pod) (*kcore.Pod, error) { + pod.TypeMeta = podTypeMeta + pod, err := c.podClient.Create(pod) if err != nil { return nil, errors.WithStack(err) } @@ -84,13 +87,30 @@ func (c *Client) CreatePod(spec *PodSpec) (*kcore.Pod, error) { } func (c *Client) UpdatePod(pod *kcore.Pod) (*kcore.Pod, error) { - pod, err := c.podClient.Update(pod) + pod.TypeMeta = podTypeMeta + objBytes, err := json.Marshal(pod) + if err != nil { + return nil, err + } + + pod, err = c.podClient.Patch(pod.Name, ktypes.MergePatchType, objBytes) if err != nil { return nil, errors.WithStack(err) } return pod, nil } +func (c *Client) ApplyPod(pod *kcore.Pod) (*kcore.Pod, error) { + existing, err := c.GetPod(pod.Name) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreatePod(pod) + } + return c.UpdatePod(pod) +} + func GetPodLastContainerStartTime(pod *kcore.Pod) *time.Time { var startTime *time.Time for _, containerStatus := range pod.Status.ContainerStatuses { diff --git a/pkg/lib/k8s/service.go b/pkg/lib/k8s/service.go index 63f2d9f924..1cb7f74878 100644 --- a/pkg/lib/k8s/service.go +++ b/pkg/lib/k8s/service.go @@ -17,9 +17,12 @@ limitations under the License. package k8s import ( + "encoding/json" + kcore "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + ktypes "k8s.io/apimachinery/pkg/types" intstr "k8s.io/apimachinery/pkg/util/intstr" "github.com/cortexlabs/cortex/pkg/lib/errors" @@ -66,8 +69,9 @@ func Service(spec *ServiceSpec) *kcore.Service { return service } -func (c *Client) CreateService(spec *ServiceSpec) (*kcore.Service, error) { - service, err := c.serviceClient.Create(Service(spec)) +func (c *Client) CreateService(service *kcore.Service) (*kcore.Service, error) { + service.TypeMeta = serviceTypeMeta + service, err := c.serviceClient.Create(service) if err != nil { return nil, errors.WithStack(err) } @@ -75,13 +79,30 @@ func (c *Client) CreateService(spec *ServiceSpec) (*kcore.Service, error) { } func (c *Client) UpdateService(service *kcore.Service) (*kcore.Service, error) { - service, err := c.serviceClient.Update(service) + service.TypeMeta = serviceTypeMeta + objBytes, err := json.Marshal(service) + if err != nil { + return nil, err + } + + service, err = c.serviceClient.Patch(service.Name, ktypes.MergePatchType, objBytes) if err != nil { return nil, errors.WithStack(err) } return service, nil } +func (c *Client) ApplyService(service *kcore.Service) (*kcore.Service, error) { + existing, err := c.GetService(service.Name) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateService(service) + } + return c.UpdateService(service) +} + func (c *Client) GetService(name string) (*kcore.Service, error) { service, err := c.serviceClient.Get(name, kmeta.GetOptions{}) if kerrors.IsNotFound(err) { diff --git a/pkg/lib/spark/spark.go b/pkg/lib/spark/spark.go index dd65bf9bbf..d2a8dba341 100644 --- a/pkg/lib/spark/spark.go +++ b/pkg/lib/spark/spark.go @@ -17,18 +17,18 @@ limitations under the License. package spark import ( - "strings" + "encoding/json" sparkop "github.com/GoogleCloudPlatform/spark-on-k8s-operator/pkg/apis/sparkoperator.k8s.io/v1alpha1" sparkopclientset "github.com/GoogleCloudPlatform/spark-on-k8s-operator/pkg/client/clientset/versioned" sparkopclientapi "github.com/GoogleCloudPlatform/spark-on-k8s-operator/pkg/client/clientset/versioned/typed/sparkoperator.k8s.io/v1alpha1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + ktypes "k8s.io/apimachinery/pkg/types" kclientrest "k8s.io/client-go/rest" "github.com/cortexlabs/cortex/pkg/lib/errors" "github.com/cortexlabs/cortex/pkg/lib/k8s" - "github.com/cortexlabs/cortex/pkg/lib/slices" ) type Client struct { @@ -36,55 +36,122 @@ type Client struct { sparkClient sparkopclientapi.SparkApplicationInterface } -var ( - doneStates = []string{ - string(sparkop.CompletedState), - string(sparkop.FailedState), - string(sparkop.FailedSubmissionState), - string(sparkop.UnknownState), +func New(restConfig *kclientrest.Config, namespace string) (*Client, error) { + var err error + client := &Client{} + client.sparkClientset, err = sparkopclientset.NewForConfig(restConfig) + if err != nil { + return nil, errors.Wrap(err, "spark", "kubeconfig") } - runningStates = []string{ - string(sparkop.NewState), - string(sparkop.SubmittedState), - string(sparkop.RunningState), + client.sparkClient = client.sparkClientset.SparkoperatorV1alpha1().SparkApplications(namespace) + return client, nil +} + +var sparkAppTypeMeta = kmeta.TypeMeta{ + APIVersion: "sparkoperator.k8s.io/v1alpha1", + Kind: "SparkApplication", +} + +type Spec struct { + Name string + Namespace string + Spec sparkop.SparkApplicationSpec + Labels map[string]string +} + +func App(spec *Spec) *sparkop.SparkApplication { + if spec.Namespace == "" { + spec.Namespace = "default" + } + return &sparkop.SparkApplication{ + TypeMeta: sparkAppTypeMeta, + ObjectMeta: kmeta.ObjectMeta{ + Name: spec.Name, + Namespace: spec.Namespace, + Labels: spec.Labels, + }, + Spec: spec.Spec, } +} - successStates = []string{ - string(sparkop.CompletedState), +func (c *Client) Create(sparkApp *sparkop.SparkApplication) (*sparkop.SparkApplication, error) { + sparkApp.TypeMeta = sparkAppTypeMeta + sparkApp, err := c.sparkClient.Create(sparkApp) + if err != nil { + return nil, errors.WithStack(err) } + return sparkApp, nil +} - failureStates = []string{ - string(sparkop.FailedState), - string(sparkop.FailedSubmissionState), - string(sparkop.UnknownState), +func (c *Client) Update(sparkApp *sparkop.SparkApplication) (*sparkop.SparkApplication, error) { + sparkApp.TypeMeta = sparkAppTypeMeta + objBytes, err := json.Marshal(sparkApp) + if err != nil { + return nil, err } - SuccessCondition = "status.applicationState.state in (" + strings.Join(successStates, ",") + ")" - FailureCondition = "status.applicationState.state in (" + strings.Join(failureStates, ",") + ")" -) + sparkApp, err = c.sparkClient.Patch(sparkApp.Name, ktypes.MergePatchType, objBytes) + if err != nil { + return nil, errors.WithStack(err) + } + return sparkApp, nil +} -func New(restConfig *kclientrest.Config, namespace string) (*Client, error) { - var err error - client := &Client{} - client.sparkClientset, err = sparkopclientset.NewForConfig(restConfig) +func (c *Client) Apply(sparkApp *sparkop.SparkApplication) (*sparkop.SparkApplication, error) { + existing, err := c.Get(sparkApp.Name) if err != nil { - return nil, errors.Wrap(err, "spark", "kubeconfig") + return nil, err } + if existing == nil { + return c.Create(sparkApp) + } + return c.Update(sparkApp) +} - client.sparkClient = client.sparkClientset.SparkoperatorV1alpha1().SparkApplications(namespace) - return client, nil +func (c *Client) Get(name string) (*sparkop.SparkApplication, error) { + sparkApp, err := c.sparkClient.Get(name, kmeta.GetOptions{}) + if kerrors.IsNotFound(err) { + return nil, nil + } + if err != nil { + return nil, errors.WithStack(err) + } + sparkApp.TypeMeta = sparkAppTypeMeta + return sparkApp, nil +} + +func (c *Client) Delete(appName string) (bool, error) { + err := c.sparkClient.Delete(appName, &kmeta.DeleteOptions{}) + if kerrors.IsNotFound(err) { + return false, nil + } + if err != nil { + return false, errors.WithStack(err) + } + return true, nil +} + +func (c *Client) Exists(name string) (bool, error) { + sparkApp, err := c.Get(name) + if err != nil { + return false, err + } + return sparkApp != nil, nil } func (c *Client) List(opts *kmeta.ListOptions) ([]sparkop.SparkApplication, error) { if opts == nil { opts = &kmeta.ListOptions{} } - sparkList, err := c.sparkClient.List(*opts) + sparkAppList, err := c.sparkClient.List(*opts) if err != nil { return nil, errors.WithStack(err) } - return sparkList.Items, nil + for i := range sparkAppList.Items { + sparkAppList.Items[i].TypeMeta = sparkAppTypeMeta + } + return sparkAppList.Items, nil } func (c *Client) ListByLabels(labels map[string]string) ([]sparkop.SparkApplication, error) { @@ -98,17 +165,21 @@ func (c *Client) ListByLabel(labelKey string, labelValue string) ([]sparkop.Spar return c.ListByLabels(map[string]string{labelKey: labelValue}) } -func (c *Client) Delete(appName string) (bool, error) { - err := c.sparkClient.Delete(appName, &kmeta.DeleteOptions{}) - if kerrors.IsNotFound(err) { - return false, nil +func Map(services []sparkop.SparkApplication) map[string]sparkop.SparkApplication { + sparkAppMap := map[string]sparkop.SparkApplication{} + for _, sparkApp := range services { + sparkAppMap[sparkApp.Name] = sparkApp } - if err != nil { - return false, errors.WithStack(err) - } - return true, nil + return sparkAppMap } -func IsDone(sparkApp *sparkop.SparkApplication) bool { - return slices.HasString(doneStates, string(sparkApp.Status.AppState.State)) +func (c *Client) IsRunning(name string) (bool, error) { + sparkApp, err := c.Get(name) + if err != nil { + return false, err + } + if sparkApp == nil { + return false, nil + } + return sparkApp.Status.CompletionTime.IsZero(), nil } diff --git a/pkg/operator/api/context/context.go b/pkg/operator/api/context/context.go index 7dafe70b25..0aef70158b 100644 --- a/pkg/operator/api/context/context.go +++ b/pkg/operator/api/context/context.go @@ -196,15 +196,6 @@ func (ctx *Context) AllResourcesByName(name string) []Resource { return resources } -// Overwrites any existing workload IDs -func (ctx *Context) PopulateWorkloadIDs(resourceWorkloadIDs map[string]string) { - for _, res := range ctx.ComputedResources() { - if workloadID, ok := resourceWorkloadIDs[res.GetID()]; ok { - res.SetWorkloadID(workloadID) - } - } -} - func (ctx *Context) CheckAllWorkloadIDsPopulated() error { for _, res := range ctx.ComputedResources() { if res.GetWorkloadID() == "" { diff --git a/pkg/operator/api/context/dependencies.go b/pkg/operator/api/context/dependencies.go index af10369d79..bc2de00a32 100644 --- a/pkg/operator/api/context/dependencies.go +++ b/pkg/operator/api/context/dependencies.go @@ -27,9 +27,13 @@ import ( "github.com/cortexlabs/cortex/pkg/operator/api/resource" ) -func (ctx *Context) AllComputedResourceDependencies(resourceID string) strset.Set { +// Get all dependencies for resourceID(s). Note: provided resourceIDs are not included in the dependency set +func (ctx *Context) AllComputedResourceDependencies(resourceIDs ...string) strset.Set { allDependencies := strset.New() - ctx.allComputedResourceDependenciesHelper(resourceID, allDependencies) + for _, resourceID := range resourceIDs { + ctx.allComputedResourceDependenciesHelper(resourceID, allDependencies) + } + allDependencies.Remove(resourceIDs...) return allDependencies } @@ -43,42 +47,46 @@ func (ctx *Context) allComputedResourceDependenciesHelper(resourceID string, all } } -func (ctx *Context) DirectComputedResourceDependencies(resourceID string) strset.Set { - for _, pythonPackage := range ctx.PythonPackages { - if pythonPackage.GetID() == resourceID { - return ctx.pythonPackageDependencies(pythonPackage) - } - } - for _, rawColumn := range ctx.RawColumns { - if rawColumn.GetID() == resourceID { - return ctx.rawColumnDependencies(rawColumn) +// Get all dependencies for resourceID(s). Note: provided resourceIDs are not included in the dependency set +func (ctx *Context) DirectComputedResourceDependencies(resourceIDs ...string) strset.Set { + allDependencies := strset.New() + for _, resourceID := range resourceIDs { + for _, pythonPackage := range ctx.PythonPackages { + if pythonPackage.GetID() == resourceID { + allDependencies.Merge(ctx.pythonPackageDependencies(pythonPackage)) + } } - } - for _, aggregate := range ctx.Aggregates { - if aggregate.ID == resourceID { - return ctx.aggregatesDependencies(aggregate) + for _, rawColumn := range ctx.RawColumns { + if rawColumn.GetID() == resourceID { + allDependencies.Merge(ctx.rawColumnDependencies(rawColumn)) + } } - } - for _, transformedColumn := range ctx.TransformedColumns { - if transformedColumn.ID == resourceID { - return ctx.transformedColumnDependencies(transformedColumn) + for _, aggregate := range ctx.Aggregates { + if aggregate.ID == resourceID { + allDependencies.Merge(ctx.aggregatesDependencies(aggregate)) + } } - } - for _, model := range ctx.Models { - if model.ID == resourceID { - return ctx.modelDependencies(model) + for _, transformedColumn := range ctx.TransformedColumns { + if transformedColumn.ID == resourceID { + allDependencies.Merge(ctx.transformedColumnDependencies(transformedColumn)) + } } - if model.Dataset.ID == resourceID { - return ctx.trainingDatasetDependencies(model) + for _, model := range ctx.Models { + if model.ID == resourceID { + allDependencies.Merge(ctx.modelDependencies(model)) + } + if model.Dataset.ID == resourceID { + allDependencies.Merge(ctx.trainingDatasetDependencies(model)) + } } - } - - for _, api := range ctx.APIs { - if api.ID == resourceID { - return ctx.apiDependencies(api) + for _, api := range ctx.APIs { + if api.ID == resourceID { + allDependencies.Merge(ctx.apiDependencies(api)) + } } } - return strset.New() + allDependencies.Remove(resourceIDs...) + return allDependencies } func (ctx *Context) pythonPackageDependencies(pythonPackage *PythonPackage) strset.Set { diff --git a/pkg/operator/api/userconfig/compute.go b/pkg/operator/api/userconfig/compute.go index 7a270e3b84..2763ee45e3 100644 --- a/pkg/operator/api/userconfig/compute.go +++ b/pkg/operator/api/userconfig/compute.go @@ -354,6 +354,9 @@ func MaxSparkCompute(sparkComputes ...*SparkCompute) *SparkCompute { aggregated := SparkCompute{} for _, sparkCompute := range sparkComputes { + if sparkCompute == nil { + continue + } if sparkCompute.Executors > aggregated.Executors { aggregated.Executors = sparkCompute.Executors } @@ -393,6 +396,9 @@ func MaxTFCompute(tfComputes ...*TFCompute) *TFCompute { aggregated := TFCompute{} for _, tc := range tfComputes { + if tc == nil { + continue + } if tc.CPU.Cmp(aggregated.CPU.Quantity) > 0 { aggregated.CPU = tc.CPU } diff --git a/pkg/operator/config/config.go b/pkg/operator/config/config.go index c6bcc64a7a..f6300a7fdb 100644 --- a/pkg/operator/config/config.go +++ b/pkg/operator/config/config.go @@ -20,7 +20,6 @@ import ( "path/filepath" "github.com/cortexlabs/cortex/pkg/consts" - "github.com/cortexlabs/cortex/pkg/lib/argo" "github.com/cortexlabs/cortex/pkg/lib/aws" "github.com/cortexlabs/cortex/pkg/lib/configreader" "github.com/cortexlabs/cortex/pkg/lib/hash" @@ -34,7 +33,6 @@ var ( AWS *aws.Client Kubernetes *k8s.Client Telemetry *telemetry.Client - Argo *argo.Client Spark *spark.Client ) @@ -91,8 +89,6 @@ func Init() error { return err } - Argo = argo.New(Kubernetes.RestConfig, Kubernetes.Namespace) - if Spark, err = spark.New(Kubernetes.RestConfig, Kubernetes.Namespace); err != nil { return err } diff --git a/pkg/operator/context/context.go b/pkg/operator/context/context.go index bf931f99e3..58794f401d 100644 --- a/pkg/operator/context/context.go +++ b/pkg/operator/context/context.go @@ -311,7 +311,7 @@ func LatestWorkloadIDKey(resourceID string, appName string) string { ) } -func WorkloadSpecKey(workloadID string, appName string) string { +func BaseWorkloadKey(workloadID string, appName string) string { return filepath.Join( consts.AppsDir, appName, diff --git a/pkg/operator/endpoints/deploy.go b/pkg/operator/endpoints/deploy.go index d7d4d3acb1..b3e8d7b3e2 100644 --- a/pkg/operator/endpoints/deploy.go +++ b/pkg/operator/endpoints/deploy.go @@ -19,7 +19,6 @@ package endpoints import ( "net/http" - "github.com/cortexlabs/cortex/pkg/lib/argo" "github.com/cortexlabs/cortex/pkg/lib/errors" "github.com/cortexlabs/cortex/pkg/lib/files" "github.com/cortexlabs/cortex/pkg/lib/zip" @@ -42,30 +41,35 @@ func Deploy(w http.ResponseWriter, r *http.Request) { return } - newWf, err := workloads.Create(ctx) + err = workloads.PopulateWorkloadIDs(ctx) if RespondIfError(w, err) { return } - existingWf, err := workloads.GetWorkflow(ctx.App.Name) + err = workloads.ValidateDeploy(ctx) if RespondIfError(w, err) { return } - isRunning := false - if existingWf != nil { - isRunning = argo.IsRunning(existingWf) + + existingCtx := workloads.CurrentContext(ctx.App.Name) + + fullCtxMatch := false + if existingCtx != nil && existingCtx.ID == ctx.ID && context.APIResourcesAndComputesMatch(ctx, existingCtx) { + fullCtxMatch = true + } + + isUpdating, err := workloads.IsDeploymentUpdating(ctx.App.Name) + if RespondIfError(w, err) { + return } - if isRunning { - if newWf.Labels["ctxID"] == existingWf.Labels["ctxID"] { - prevCtx := workloads.CurrentContext(ctx.App.Name) - if context.APIResourcesAndComputesMatch(ctx, prevCtx) { - respondDeploy(w, ResDeploymentRunning) - return - } + if isUpdating { + if fullCtxMatch { + respondDeploy(w, ResDeploymentUpToDateUpdating) + return } if !force { - respondDeploy(w, ResDifferentDeploymentRunning) + respondDeploy(w, ResDifferentDeploymentUpdating) return } } @@ -75,28 +79,26 @@ func Deploy(w http.ResponseWriter, r *http.Request) { return } - err = workloads.Run(newWf, ctx, existingWf) + err = workloads.Run(ctx) if RespondIfError(w, err) { return } switch { - case isRunning && ignoreCache: - respondDeploy(w, ResDeploymentStoppedCacheDeletedDeploymentStarted) - case isRunning && !ignoreCache && argo.NumTasks(newWf) == 0: - respondDeploy(w, ResDeploymentStoppedDeploymentUpToDate) - case isRunning && !ignoreCache && argo.NumTasks(newWf) != 0: - respondDeploy(w, ResDeploymentStoppedDeploymentStarted) - case !isRunning && ignoreCache: + case isUpdating && ignoreCache: respondDeploy(w, ResCachedDeletedDeploymentStarted) - case !isRunning && !ignoreCache && argo.NumTasks(newWf) == 0: - if existingWf != nil && existingWf.Labels["ctxID"] == newWf.Labels["ctxID"] { - respondDeploy(w, ResDeploymentUpToDate) - return - } + case isUpdating && !ignoreCache: respondDeploy(w, ResDeploymentUpdated) - case !isRunning && !ignoreCache && argo.NumTasks(newWf) != 0: + case !isUpdating && ignoreCache: + respondDeploy(w, ResCachedDeletedDeploymentStarted) + case !isUpdating && !ignoreCache && existingCtx == nil: respondDeploy(w, ResDeploymentStarted) + case !isUpdating && !ignoreCache && existingCtx != nil && !fullCtxMatch: + respondDeploy(w, ResDeploymentUpdated) + case !isUpdating && !ignoreCache && existingCtx != nil && fullCtxMatch: + respondDeploy(w, ResDeploymentUpToDate) + default: + respondDeploy(w, ResDeploymentUpdated) // unexpected } } diff --git a/pkg/operator/endpoints/resources.go b/pkg/operator/endpoints/resources.go index a75cdf5e6b..af7c3a93c0 100644 --- a/pkg/operator/endpoints/resources.go +++ b/pkg/operator/endpoints/resources.go @@ -40,17 +40,7 @@ func GetResources(w http.ResponseWriter, r *http.Request) { return } - deployments, err := workloads.APIDeploymentMap(ctx.App.Name) - if RespondIfError(w, err) { - return - } - - apiStatuses, err := workloads.GetCurrentAPIStatuses(dataStatuses, deployments, ctx) - if RespondIfError(w, err) { - return - } - - apiGroupStatuses, err := workloads.GetAPIGroupStatuses(apiStatuses, deployments, ctx) + apiStatuses, apiGroupStatuses, err := workloads.GetCurrentAPIAndGroupStatuses(dataStatuses, ctx) if RespondIfError(w, err) { return } diff --git a/pkg/operator/endpoints/shared.go b/pkg/operator/endpoints/shared.go index d276e02ccb..2df4e3bc15 100644 --- a/pkg/operator/endpoints/shared.go +++ b/pkg/operator/endpoints/shared.go @@ -29,16 +29,13 @@ import ( ) const ( - ResDeploymentStarted = "Deployment started" - ResDeploymentUpdated = "Deployment updated" - ResDeploymentDeleted = "Deployment deleted" - ResDeploymentUpToDate = "Deployment is up-to-date" - ResDeploymentRunning = "Deployment is already running" - ResDifferentDeploymentRunning = "Another deployment is running, use --force to override" - ResCachedDeletedDeploymentStarted = "Cache deleted, deployment started" - ResDeploymentStoppedDeploymentStarted = "Running deployment stopped, new deployment started" - ResDeploymentStoppedCacheDeletedDeploymentStarted = "Running deployment stopped, cached deleted, new deployment started" - ResDeploymentStoppedDeploymentUpToDate = "Running deployment stopped, new deployment is up-to-date" + ResDeploymentStarted = "Deployment started" + ResDeploymentUpdated = "Deployment updated" + ResDeploymentDeleted = "Deployment deleted" + ResDeploymentUpToDate = "Deployment is up-to-date" + ResDeploymentUpToDateUpdating = "Deployment is already updating" + ResDifferentDeploymentUpdating = "Previous deployment is currently updating, use --force to override" + ResCachedDeletedDeploymentStarted = "Cache deleted, deployment started" ) func Respond(w http.ResponseWriter, response interface{}) { diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 4e88ae6b56..be56591c7e 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -17,38 +17,21 @@ limitations under the License. package main import ( - "fmt" "log" "net/http" "strings" - "time" "github.com/gorilla/mux" - cron "gopkg.in/robfig/cron.v2" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/cortexlabs/cortex/pkg/consts" - "github.com/cortexlabs/cortex/pkg/lib/aws" "github.com/cortexlabs/cortex/pkg/lib/errors" - "github.com/cortexlabs/cortex/pkg/lib/sets/strset" - "github.com/cortexlabs/cortex/pkg/lib/telemetry" "github.com/cortexlabs/cortex/pkg/operator/config" "github.com/cortexlabs/cortex/pkg/operator/context" "github.com/cortexlabs/cortex/pkg/operator/endpoints" "github.com/cortexlabs/cortex/pkg/operator/workloads" ) -const ( - operatorPortStr = "8888" - workflowDeletionDelay = 60 // seconds - cronInterval = 5 // seconds -) - -var ( - awsClient *aws.Client - telemtryClient *telemetry.Client - markedWorkflows = strset.New() -) +const operatorPortStr = "8888" func main() { if err := config.Init(); err != nil { @@ -67,7 +50,6 @@ func main() { } config.Telemetry.ReportEvent("operator.init") - startCron() router := mux.NewRouter() router.Use(panicMiddleware) @@ -132,71 +114,3 @@ func apiVersionCheckMiddleware(next http.Handler) http.Handler { next.ServeHTTP(w, r) }) } - -func startCron() { - cronRunner := cron.New() - cronInterval := fmt.Sprintf("@every %ds", cronInterval) - cronRunner.AddFunc(cronInterval, runCron) - cronRunner.Start() -} - -func runCron() { - defer reportAndRecover("cron failed") - apiPods, err := config.Kubernetes.ListPodsByLabels(map[string]string{ - "workloadType": workloads.WorkloadTypeAPI, - "userFacing": "true", - }) - if err != nil { - config.Telemetry.ReportError(err) - errors.PrintError(err) - } - - if err := workloads.UpdateAPISavedStatuses(apiPods); err != nil { - config.Telemetry.ReportError(err) - errors.PrintError(err) - } - - if err := workloads.UploadLogPrefixesFromAPIPods(apiPods); err != nil { - config.Telemetry.ReportError(err) - errors.PrintError(err) - } - - failedPods, err := config.Kubernetes.ListPods(&kmeta.ListOptions{ - FieldSelector: "status.phase=Failed", - }) - if err != nil { - config.Telemetry.ReportError(err) - errors.PrintError(err) - } - - if err := workloads.UpdateDataWorkflowErrors(failedPods); err != nil { - config.Telemetry.ReportError(err) - errors.PrintError(err) - } -} - -func deleteWorkflowDelayed(wfName string) { - deletionDelay := time.Duration(workflowDeletionDelay) * time.Second - if !markedWorkflows.Has(wfName) { - markedWorkflows.Add(wfName) - time.Sleep(deletionDelay) - config.Argo.Delete(wfName) - go deleteMarkerDelayed(markedWorkflows, wfName) - } -} - -// Wait some time before trying to delete again -func deleteMarkerDelayed(markerMap strset.Set, key string) { - time.Sleep(20 * time.Second) - markerMap.Remove(key) -} - -func reportAndRecover(strs ...string) error { - if errInterface := recover(); errInterface != nil { - err := errors.CastRecoverError(errInterface, strs...) - config.Telemetry.ReportError(err) - errors.PrintError(err) - return err - } - return nil -} diff --git a/pkg/operator/workloads/api_saved_status.go b/pkg/operator/workloads/api_saved_status.go index fdb11c5f99..57bbd58c04 100644 --- a/pkg/operator/workloads/api_saved_status.go +++ b/pkg/operator/workloads/api_saved_status.go @@ -137,7 +137,7 @@ func updateAPISavedStatusStartTime(savedStatus *resource.APISavedStatus, pods [] } } -func UpdateAPISavedStatuses(allPods []kcore.Pod) error { +func updateAPISavedStatuses(allPods []kcore.Pod) error { podMap := make(map[string][]kcore.Pod) for _, pod := range allPods { appName := pod.Labels["appName"] diff --git a/pkg/operator/workloads/api_status.go b/pkg/operator/workloads/api_status.go index 3f40262a5c..a5852b45c4 100644 --- a/pkg/operator/workloads/api_status.go +++ b/pkg/operator/workloads/api_status.go @@ -30,19 +30,36 @@ import ( "github.com/cortexlabs/cortex/pkg/operator/config" ) -func GetCurrentAPIStatuses( +func GetCurrentAPIAndGroupStatuses( dataStatuses map[string]*resource.DataStatus, - deployments map[string]*kapps.Deployment, // api.Name -> deployment ctx *context.Context, -) (map[string]*resource.APIStatus, error) { +) (map[string]*resource.APIStatus, map[string]*resource.APIGroupStatus, error) { + deployments, err := apiDeploymentMap(ctx.App.Name) + if err != nil { + return nil, nil, err + } - failedWorkloadIDs, err := getFailedArgoWorkloadIDs(ctx.App.Name) + apiStatuses, err := getCurrentAPIStatuses(dataStatuses, deployments, ctx) if err != nil { - return nil, err + return nil, nil, err } + apiGroupStatuses, err := getAPIGroupStatuses(apiStatuses, deployments, ctx) + if err != nil { + return nil, nil, err + } + + return apiStatuses, apiGroupStatuses, nil +} + +func getCurrentAPIStatuses( + dataStatuses map[string]*resource.DataStatus, + deployments map[string]*kapps.Deployment, // api.Name -> deployment + ctx *context.Context, +) (map[string]*resource.APIStatus, error) { + podList, err := config.Kubernetes.ListPodsByLabels(map[string]string{ - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "appName": ctx.App.Name, "userFacing": "true", }) @@ -99,7 +116,7 @@ func GetCurrentAPIStatuses( for resourceID, apiStatus := range apiStatuses { apiStatus.Path = context.APIPath(apiStatus.APIName, apiStatus.AppName) apiStatus.ReplicaCounts = replicaCountsMap[resourceID] - apiStatus.Code = apiStatusCode(apiStatus, failedWorkloadIDs) + apiStatus.Code = apiStatusCode(apiStatus) } for _, apiStatus := range apiStatuses { @@ -175,11 +192,7 @@ func getReplicaCountsMap( return replicaCountsMap } -func apiStatusCode(apiStatus *resource.APIStatus, failedWorkloadIDs strset.Set) resource.StatusCode { - if failedWorkloadIDs.Has(apiStatus.WorkloadID) { - return resource.StatusError - } - +func apiStatusCode(apiStatus *resource.APIStatus) resource.StatusCode { if apiStatus.MaxReplicas == 0 { if apiStatus.TotalReady() > 0 { return resource.StatusStopping @@ -235,7 +248,7 @@ func updateAPIStatusCodeByParents(apiStatus *resource.APIStatus, dataStatuses ma } } -func GetAPIGroupStatuses( +func getAPIGroupStatuses( apiStatuses map[string]*resource.APIStatus, deployments map[string]*kapps.Deployment, // api.Name -> deployment ctx *context.Context, diff --git a/pkg/operator/workloads/api.go b/pkg/operator/workloads/api_workload.go similarity index 73% rename from pkg/operator/workloads/api.go rename to pkg/operator/workloads/api_workload.go index fe7f1d5606..27d9d2d9c0 100644 --- a/pkg/operator/workloads/api.go +++ b/pkg/operator/workloads/api_workload.go @@ -22,14 +22,13 @@ import ( kapps "k8s.io/api/apps/v1" kautoscaling "k8s.io/api/autoscaling/v1" kcore "k8s.io/api/core/v1" + kextensions "k8s.io/api/extensions/v1beta1" kresource "k8s.io/apimachinery/pkg/api/resource" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" intstr "k8s.io/apimachinery/pkg/util/intstr" "github.com/cortexlabs/cortex/pkg/consts" "github.com/cortexlabs/cortex/pkg/lib/errors" "github.com/cortexlabs/cortex/pkg/lib/k8s" - "github.com/cortexlabs/cortex/pkg/lib/sets/strset" "github.com/cortexlabs/cortex/pkg/operator/api/context" "github.com/cortexlabs/cortex/pkg/operator/api/userconfig" "github.com/cortexlabs/cortex/pkg/operator/config" @@ -38,8 +37,155 @@ import ( const ( apiContainerName = "api" tfServingContainerName = "serve" + + defaultPortInt32, defaultPortStr = int32(8888), "8888" + tfServingPortInt32, tfServingPortStr = int32(9000), "9000" ) +type APIWorkload struct { + BaseWorkload +} + +func populateAPIWorkloadIDs(ctx *context.Context, latestResourceWorkloadIDs map[string]string) { + for _, api := range ctx.APIs { + if api.WorkloadID != "" { + continue + } + if workloadID := latestResourceWorkloadIDs[api.ID]; workloadID != "" { + api.WorkloadID = workloadID + continue + } + api.WorkloadID = generateWorkloadID() + } +} + +func extractAPIWorkloads(ctx *context.Context) []Workload { + workloads := make([]Workload, 0, len(ctx.APIs)) + + for _, api := range ctx.APIs { + workloads = append(workloads, &APIWorkload{ + singleBaseWorkload(api, ctx.App.Name, workloadTypeAPI), + }) + } + + return workloads +} + +func (aw *APIWorkload) Start(ctx *context.Context) error { + api := ctx.APIs.OneByID(aw.GetSingleResourceID()) + + k8sDeloymentName := internalAPIName(api.Name, ctx.App.Name) + k8sDeloyment, err := config.Kubernetes.GetDeployment(k8sDeloymentName) + if err != nil { + return err + } + hpa, err := config.Kubernetes.GetHPA(k8sDeloymentName) + if err != nil { + return err + } + + desiredReplicas := api.Compute.InitReplicas + if k8sDeloyment != nil && k8sDeloyment.Spec.Replicas != nil { + desiredReplicas = *k8sDeloyment.Spec.Replicas + } + if hpa != nil && hpa.Spec.MinReplicas != nil && *hpa.Spec.MinReplicas > desiredReplicas { + desiredReplicas = *hpa.Spec.MinReplicas + } + + var deploymentSpec *kapps.Deployment + + switch api.ModelFormat { + case userconfig.TensorFlowModelFormat: + deploymentSpec = tfAPISpec(ctx, api, aw.WorkloadID, desiredReplicas) + case userconfig.ONNXModelFormat: + deploymentSpec = onnxAPISpec(ctx, api, aw.WorkloadID, desiredReplicas) + default: + return errors.New(api.Name, "unknown model format encountered") // unexpected + } + + _, err = config.Kubernetes.ApplyIngress(ingressSpec(ctx, api)) + if err != nil { + return err + } + + _, err = config.Kubernetes.ApplyService(serviceSpec(ctx, api)) + if err != nil { + return err + } + + _, err = config.Kubernetes.ApplyDeployment(deploymentSpec) + if err != nil { + return err + } + + _, err = config.Kubernetes.ApplyHPA(hpaSpec(ctx, api)) + if err != nil { + return err + } + + return nil +} + +func (aw *APIWorkload) IsSucceeded(ctx *context.Context) (bool, error) { + api := ctx.APIs.OneByID(aw.GetSingleResourceID()) + k8sDeloymentName := internalAPIName(api.Name, ctx.App.Name) + + k8sDeployment, err := config.Kubernetes.GetDeployment(k8sDeloymentName) + if err != nil { + return false, err + } + if k8sDeployment == nil || k8sDeployment.Labels["resourceID"] != api.ID || k8sDeployment.DeletionTimestamp != nil { + return false, nil + } + + hpa, err := config.Kubernetes.GetHPA(k8sDeloymentName) + if err != nil { + return false, err + } + + if doesAPIComputeNeedsUpdating(api, k8sDeployment, hpa) { + return false, nil + } + + if k8sDeployment.Status.AvailableReplicas < api.Compute.MinReplicas || k8sDeployment.Status.UpdatedReplicas < api.Compute.MinReplicas { + return false, nil + } + + return true, nil +} + +func (aw *APIWorkload) IsRunning(ctx *context.Context) (bool, error) { + api := ctx.APIs.OneByID(aw.GetSingleResourceID()) + k8sDeloymentName := internalAPIName(api.Name, ctx.App.Name) + + k8sDeployment, err := config.Kubernetes.GetDeployment(k8sDeloymentName) + if err != nil { + return false, err + } + if k8sDeployment == nil || k8sDeployment.Labels["resourceID"] != api.ID || k8sDeployment.DeletionTimestamp != nil { + return false, nil + } + + hpa, err := config.Kubernetes.GetHPA(k8sDeloymentName) + if err != nil { + return false, err + } + + if doesAPIComputeNeedsUpdating(api, k8sDeployment, hpa) { + return false, nil + } + + if k8sDeployment.Status.AvailableReplicas < api.Compute.MinReplicas || k8sDeployment.Status.UpdatedReplicas < api.Compute.MinReplicas { + return true, nil + } + + return false, nil +} + +func (aw *APIWorkload) CanRun(ctx *context.Context) (bool, error) { + return areDataDependenciesSucceeded(ctx, aw.GetResourceIDs()) +} + func tfAPISpec( ctx *context.Context, api *context.API, @@ -72,20 +218,20 @@ func tfAPISpec( Replicas: desiredReplicas, Labels: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, }, Selector: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, @@ -183,20 +329,20 @@ func onnxAPISpec( Replicas: desiredReplicas, Labels: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, }, Selector: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, @@ -246,8 +392,8 @@ func onnxAPISpec( }) } -func ingressSpec(ctx *context.Context, api *context.API) *k8s.IngressSpec { - return &k8s.IngressSpec{ +func ingressSpec(ctx *context.Context, api *context.API) *kextensions.Ingress { + return k8s.Ingress(&k8s.IngressSpec{ Name: internalAPIName(api.Name, ctx.App.Name), ServiceName: internalAPIName(api.Name, ctx.App.Name), ServicePort: defaultPortInt32, @@ -255,30 +401,30 @@ func ingressSpec(ctx *context.Context, api *context.API) *k8s.IngressSpec { IngressClass: "apis", Labels: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, }, Namespace: config.Cortex.Namespace, - } + }) } -func serviceSpec(ctx *context.Context, api *context.API) *k8s.ServiceSpec { - return &k8s.ServiceSpec{ +func serviceSpec(ctx *context.Context, api *context.API) *kcore.Service { + return k8s.Service(&k8s.ServiceSpec{ Name: internalAPIName(api.Name, ctx.App.Name), Port: defaultPortInt32, TargetPort: defaultPortInt32, Labels: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, }, Selector: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, }, Namespace: config.Cortex.Namespace, - } + }) } func hpaSpec(ctx *context.Context, api *context.API) *kautoscaling.HorizontalPodAutoscaler { @@ -289,75 +435,14 @@ func hpaSpec(ctx *context.Context, api *context.API) *kautoscaling.HorizontalPod TargetCPUUtilization: api.Compute.TargetCPUUtilization, Labels: map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, "apiName": api.Name, }, Namespace: config.Cortex.Namespace, }) } -func apiWorkloadSpecs(ctx *context.Context) ([]*WorkloadSpec, error) { - var workloadSpecs []*WorkloadSpec - - deployments, err := APIDeploymentMap(ctx.App.Name) - if err != nil { - return nil, err - } - - hpas, err := apiHPAMap(ctx.App.Name) - if err != nil { - return nil, err - } - - for apiName, api := range ctx.APIs { - workloadID := generateWorkloadID() - desiredReplicas := api.Compute.InitReplicas - - deployment, deploymentExists := deployments[apiName] - if deploymentExists && deployment.Labels["resourceID"] == api.ID && deployment.DeletionTimestamp == nil { - hpa := hpas[apiName] - - if !apiComputeNeedsUpdating(api, deployment, hpa) { - continue // Deployment is fully up to date (model and compute/replicas) - } - - // Reuse workloadID if just modifying compute/replicas - workloadID = deployment.Labels["workloadID"] - - // Use current replicas or min replicas - if deployment.Spec.Replicas != nil { - desiredReplicas = *deployment.Spec.Replicas - } - if hpa != nil && hpa.Spec.MinReplicas != nil && *hpa.Spec.MinReplicas > desiredReplicas { - desiredReplicas = *hpa.Spec.MinReplicas - } - } - - var spec kmeta.Object - - switch api.ModelFormat { - case userconfig.TensorFlowModelFormat: - spec = tfAPISpec(ctx, api, workloadID, desiredReplicas) - case userconfig.ONNXModelFormat: - spec = onnxAPISpec(ctx, api, workloadID, desiredReplicas) - default: - return nil, errors.New(api.Name, "unknown model format encountered") // unexpected - } - - workloadSpecs = append(workloadSpecs, &WorkloadSpec{ - WorkloadID: workloadID, - ResourceIDs: strset.New(api.ID), - K8sSpecs: []kmeta.Object{spec, hpaSpec(ctx, api)}, - K8sAction: "apply", - WorkloadType: WorkloadTypeAPI, - // SuccessCondition: k8s.DeploymentSuccessConditionAll, # Currently success conditions don't work for multi-resource config - }) - } - - return workloadSpecs, nil -} - -func apiComputeNeedsUpdating(api *context.API, deployment *kapps.Deployment, hpa *kautoscaling.HorizontalPodAutoscaler) bool { +func doesAPIComputeNeedsUpdating(api *context.API, deployment *kapps.Deployment, hpa *kautoscaling.HorizontalPodAutoscaler) bool { if hpa == nil { return true } @@ -389,7 +474,7 @@ func apiComputeNeedsUpdating(api *context.API, deployment *kapps.Deployment, hpa func deleteOldAPIs(ctx *context.Context) { ingresses, _ := config.Kubernetes.ListIngressesByLabels(map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, }) for _, ingress := range ingresses { if _, ok := ctx.APIs[ingress.Labels["apiName"]]; !ok { @@ -399,7 +484,7 @@ func deleteOldAPIs(ctx *context.Context) { services, _ := config.Kubernetes.ListServicesByLabels(map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, }) for _, service := range services { if _, ok := ctx.APIs[service.Labels["apiName"]]; !ok { @@ -409,7 +494,7 @@ func deleteOldAPIs(ctx *context.Context) { deployments, _ := config.Kubernetes.ListDeploymentsByLabels(map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, }) for _, deployment := range deployments { if _, ok := ctx.APIs[deployment.Labels["apiName"]]; !ok { @@ -419,7 +504,7 @@ func deleteOldAPIs(ctx *context.Context) { hpas, _ := config.Kubernetes.ListHPAsByLabels(map[string]string{ "appName": ctx.App.Name, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, }) for _, hpa := range hpas { if _, ok := ctx.APIs[hpa.Labels["apiName"]]; !ok { @@ -428,38 +513,11 @@ func deleteOldAPIs(ctx *context.Context) { } } -func createServicesAndIngresses(ctx *context.Context) error { - for _, api := range ctx.APIs { - ingressExists, err := config.Kubernetes.IngressExists(internalAPIName(api.Name, ctx.App.Name)) - if err != nil { - return errors.Wrap(err, ctx.App.Name, "ingresses", api.Name, "create") - } - if !ingressExists { - _, err = config.Kubernetes.CreateIngress(ingressSpec(ctx, api)) - if err != nil { - return errors.Wrap(err, ctx.App.Name, "ingresses", api.Name, "create") - } - } - - serviceExists, err := config.Kubernetes.ServiceExists(internalAPIName(api.Name, ctx.App.Name)) - if err != nil { - return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") - } - if !serviceExists { - _, err = config.Kubernetes.CreateService(serviceSpec(ctx, api)) - if err != nil { - return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") - } - } - } - return nil -} - // This returns map apiName -> deployment (not internalName -> deployment) -func APIDeploymentMap(appName string) (map[string]*kapps.Deployment, error) { +func apiDeploymentMap(appName string) (map[string]*kapps.Deployment, error) { deploymentList, err := config.Kubernetes.ListDeploymentsByLabels(map[string]string{ "appName": appName, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, }) if err != nil { return nil, errors.Wrap(err, appName) @@ -482,7 +540,7 @@ func addToDeploymentMap(deployments map[string]*kapps.Deployment, deployment kap func apiHPAMap(appName string) (map[string]*kautoscaling.HorizontalPodAutoscaler, error) { hpaList, err := config.Kubernetes.ListHPAsByLabels(map[string]string{ "appName": appName, - "workloadType": WorkloadTypeAPI, + "workloadType": workloadTypeAPI, }) if err != nil { return nil, errors.Wrap(err, appName) diff --git a/pkg/operator/workloads/consts.go b/pkg/operator/workloads/consts.go deleted file mode 100644 index 2115b9f154..0000000000 --- a/pkg/operator/workloads/consts.go +++ /dev/null @@ -1,29 +0,0 @@ -/* -Copyright 2019 Cortex Labs, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package workloads - -const ( - WorkloadTypeAPI = "api" - workloadTypeData = "data-job" - workloadTypeTrain = "training-job" - workloadTypePythonPackager = "python-packager" - - defaultPortInt32, defaultPortStr = int32(8888), "8888" - tfServingPortInt32, tfServingPortStr = int32(9000), "9000" - - userFacingCheckInterval = 1 // seconds -) diff --git a/pkg/operator/workloads/cron.go b/pkg/operator/workloads/cron.go new file mode 100644 index 0000000000..8a787fd41b --- /dev/null +++ b/pkg/operator/workloads/cron.go @@ -0,0 +1,100 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package workloads + +import ( + "time" + + kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/cortexlabs/cortex/pkg/lib/errors" + "github.com/cortexlabs/cortex/pkg/operator/config" +) + +const cronInterval = 5 // seconds + +var cronChannel = make(chan struct{}, 1) + +func cronRunner() { + timer := time.NewTimer(0) + defer timer.Stop() + + for { + select { + case <-cronChannel: + runCron() + case <-timer.C: + runCron() + } + timer.Reset(5 * time.Second) + } +} + +func runCronNow() { + cronChannel <- struct{}{} +} + +func runCron() { + defer reportAndRecover("cron failed") + + if err := UpdateWorkflows(); err != nil { + config.Telemetry.ReportError(err) + errors.PrintError(err) + } + + apiPods, err := config.Kubernetes.ListPodsByLabels(map[string]string{ + "workloadType": workloadTypeAPI, + "userFacing": "true", + }) + if err != nil { + config.Telemetry.ReportError(err) + errors.PrintError(err) + } + + if err := updateAPISavedStatuses(apiPods); err != nil { + config.Telemetry.ReportError(err) + errors.PrintError(err) + } + + if err := uploadLogPrefixesFromAPIPods(apiPods); err != nil { + config.Telemetry.ReportError(err) + errors.PrintError(err) + } + + failedPods, err := config.Kubernetes.ListPods(&kmeta.ListOptions{ + FieldSelector: "status.phase=Failed", + }) + if err != nil { + config.Telemetry.ReportError(err) + errors.PrintError(err) + } + + if err := updateDataWorkloadErrors(failedPods); err != nil { + config.Telemetry.ReportError(err) + errors.PrintError(err) + } +} + +func reportAndRecover(strs ...string) error { + if errInterface := recover(); errInterface != nil { + err := errors.CastRecoverError(errInterface, strs...) + config.Telemetry.ReportError(err) + errors.PrintError(err) + return err + } + return nil +} diff --git a/pkg/operator/workloads/current_contexts.go b/pkg/operator/workloads/current_contexts.go index e62d5dacda..f5228c0def 100644 --- a/pkg/operator/workloads/current_contexts.go +++ b/pkg/operator/workloads/current_contexts.go @@ -17,11 +17,17 @@ limitations under the License. package workloads import ( + "fmt" "sync" + "github.com/cortexlabs/cortex/pkg/lib/k8s" "github.com/cortexlabs/cortex/pkg/operator/api/context" + "github.com/cortexlabs/cortex/pkg/operator/config" + ocontext "github.com/cortexlabs/cortex/pkg/operator/context" ) +const configMapName = "cortex-current-contexts" + // appName -> currently deployed context var currentCtxs = struct { m map[string]*context.Context @@ -37,23 +43,82 @@ func CurrentContext(appName string) *context.Context { func CurrentContexts() []*context.Context { currentCtxs.RLock() defer currentCtxs.RUnlock() - ctxs := make([]*context.Context, len(currentCtxs.m)) - i := 0 + ctxs := make([]*context.Context, 0, len(currentCtxs.m)) for _, ctx := range currentCtxs.m { - ctxs[i] = ctx - i++ + ctxs = append(ctxs, ctx) } return ctxs } -func setCurrentContext(ctx *context.Context) { +func setCurrentContext(ctx *context.Context) error { currentCtxs.Lock() defer currentCtxs.Unlock() + currentCtxs.m[ctx.App.Name] = ctx + + err := updateContextConfigMap() + if err != nil { + return err + } + + return nil } -func deleteCurrentContext(appName string) { +func deleteCurrentContext(appName string) error { currentCtxs.Lock() defer currentCtxs.Unlock() + delete(currentCtxs.m, appName) + + err := updateContextConfigMap() + if err != nil { + return err + } + + return nil +} + +func updateContextConfigMap() error { + configMapData := make(map[string]string, len(currentCtxs.m)) + for appName, ctx := range currentCtxs.m { + configMapData[appName] = ctx.ID + } + + configMap := k8s.ConfigMap(&k8s.ConfigMapSpec{ + Name: configMapName, + Namespace: config.Cortex.Namespace, + Data: configMapData, + }) + + _, err := config.Kubernetes.ApplyConfigMap(configMap) + if err != nil { + return err + } + + return nil +} + +func reloadCurrentContexts() error { + currentCtxs.Lock() + defer currentCtxs.Unlock() + + configMap, err := config.Kubernetes.GetConfigMap(configMapName) + if err != nil { + return err + } + if configMap == nil { + return nil + } + + for appName, ctxID := range configMap.Data { + ctx, err := ocontext.DownloadContext(ctxID, appName) + if err != nil { + fmt.Printf("Deleting stale workflow: %s", appName) + DeleteApp(appName, true) + } else if ctx != nil { + currentCtxs.m[appName] = ctx + } + } + + return nil } diff --git a/pkg/operator/workloads/data_saved_status.go b/pkg/operator/workloads/data_saved_status.go index 6b4e60f81a..cd338a32cd 100644 --- a/pkg/operator/workloads/data_saved_status.go +++ b/pkg/operator/workloads/data_saved_status.go @@ -19,10 +19,14 @@ package workloads import ( "time" + kcore "k8s.io/api/core/v1" + "github.com/cortexlabs/cortex/pkg/lib/aws" "github.com/cortexlabs/cortex/pkg/lib/errors" + "github.com/cortexlabs/cortex/pkg/lib/k8s" "github.com/cortexlabs/cortex/pkg/lib/parallel" "github.com/cortexlabs/cortex/pkg/lib/pointer" + "github.com/cortexlabs/cortex/pkg/lib/sets/strset" "github.com/cortexlabs/cortex/pkg/operator/api/context" "github.com/cortexlabs/cortex/pkg/operator/api/resource" "github.com/cortexlabs/cortex/pkg/operator/config" @@ -88,7 +92,7 @@ func getDataSavedStatuses(resourceWorkloadIDs map[string]string, appName string) return nil, err } - savedStatusMap := map[string]*resource.DataSavedStatus{} + savedStatusMap := make(map[string]*resource.DataSavedStatus) for _, savedStatus := range savedStatuses { if savedStatus != nil { savedStatusMap[savedStatus.ResourceID] = savedStatus @@ -135,3 +139,86 @@ func updateKilledDataSavedStatuses(ctx *context.Context) error { } return nil } + +func updateDataWorkloadErrors(failedPods []kcore.Pod) error { + checkedWorkloadIDs := strset.New() + nowTime := pointer.Time(time.Now()) + + for _, pod := range failedPods { + appName, ok := pod.Labels["appName"] + if !ok { + continue + } + workloadID, ok := pod.Labels["workloadID"] + if !ok { + continue + } + + if pod.Labels["workloadType"] == workloadTypeAPI { + continue + } + + if checkedWorkloadIDs.Has(workloadID) { + continue + } + checkedWorkloadIDs.Add(workloadID) + + savedWorkload, err := getSavedBaseWorkload(workloadID, appName) + if err != nil { + return err + } + if savedWorkload == nil { + continue + } + + resourceWorkloadIDs := make(map[string]string, len(savedWorkload.Resources)) + for _, resource := range savedWorkload.Resources { + resourceWorkloadIDs[resource.ID] = workloadID + } + + savedStatuses, err := getDataSavedStatuses(resourceWorkloadIDs, appName) + if err != nil { + return err + } + + var savedStatusesToUpload []*resource.DataSavedStatus + for resourceID, res := range savedWorkload.Resources { + savedStatus := savedStatuses[resourceID] + + if savedStatus == nil { + savedStatus = &resource.DataSavedStatus{ + BaseSavedStatus: resource.BaseSavedStatus{ + ResourceID: resourceID, + ResourceType: res.ResourceType, + WorkloadID: workloadID, + AppName: appName, + }, + } + } + + if savedStatus.End == nil { + savedStatus.End = nowTime + if savedStatus.Start == nil { + savedStatus.Start = nowTime + } + + switch k8s.GetPodStatus(&pod) { + case k8s.PodStatusKilled: + savedStatus.ExitCode = resource.ExitCodeDataKilled + case k8s.PodStatusKilledOOM: + savedStatus.ExitCode = resource.ExitCodeDataOOM + default: + savedStatus.ExitCode = resource.ExitCodeDataFailed + } + + savedStatusesToUpload = append(savedStatusesToUpload, savedStatus) + } + } + + err = uploadDataSavedStatuses(savedStatusesToUpload) + if err != nil { + return err + } + } + return nil +} diff --git a/pkg/operator/workloads/errors.go b/pkg/operator/workloads/errors.go index 612d898f30..81e596cbaa 100644 --- a/pkg/operator/workloads/errors.go +++ b/pkg/operator/workloads/errors.go @@ -21,8 +21,6 @@ type ErrorKind int const ( ErrUnknown ErrorKind = iota ErrMoreThanOneWorkflow - ErrContextAppMismatch - ErrWorkflowAppMismatch ErrCortexInstallationBroken ErrLoadBalancerInitializing ErrNotFound @@ -31,8 +29,6 @@ const ( var errorKinds = []string{ "err_unknown", "err_more_than_one_workflow", - "err_context_app_mismatch", - "err_workflow_app_mismatch", "err_cortex_installation_broken", "err_load_balancer_initializing", "err_not_found", @@ -90,20 +86,6 @@ func ErrorMoreThanOneWorkflow() error { } } -func ErrorContextAppMismatch() error { - return Error{ - Kind: ErrContextAppMismatch, - message: "context deployments do not match", - } -} - -func ErrorWorkflowAppMismatch() error { - return Error{ - Kind: ErrWorkflowAppMismatch, - message: "workflow deployments do not match", - } -} - func ErrorCortexInstallationBroken() error { return Error{ Kind: ErrCortexInstallationBroken, diff --git a/pkg/operator/workloads/latest_workload_id.go b/pkg/operator/workloads/latest_workload_id.go index a354171707..e4d51f75d4 100644 --- a/pkg/operator/workloads/latest_workload_id.go +++ b/pkg/operator/workloads/latest_workload_id.go @@ -89,7 +89,7 @@ func getSavedLatestWorkloadIDs(resourceIDs strset.Set, appName string) (map[stri return nil, err } - workloadIDMap := map[string]string{} + workloadIDMap := make(map[string]string) for i := range workloadIDList { workloadIDMap[resourceIDList[i]] = workloadIDList[i] } diff --git a/pkg/operator/workloads/log_prefix.go b/pkg/operator/workloads/log_prefix.go index fda2d5d905..e16899cf88 100644 --- a/pkg/operator/workloads/log_prefix.go +++ b/pkg/operator/workloads/log_prefix.go @@ -89,11 +89,11 @@ func getSavedLogPrefix(workloadID string, appName string, allowNil bool) (string return logPrefix, nil } -func UploadLogPrefixesFromAPIPods(pods []kcore.Pod) error { +func uploadLogPrefixesFromAPIPods(pods []kcore.Pod) error { logPrefixInfos := []*LogPrefixInfo{} currentWorkloadIDs := make(map[string]strset.Set) for _, pod := range pods { - if pod.Labels["workloadType"] != WorkloadTypeAPI { + if pod.Labels["workloadType"] != workloadTypeAPI { continue } diff --git a/pkg/operator/workloads/logs.go b/pkg/operator/workloads/logs.go index 10a4333540..0dfcdf22cb 100644 --- a/pkg/operator/workloads/logs.go +++ b/pkg/operator/workloads/logs.go @@ -36,9 +36,10 @@ import ( ) const ( - writeWait = 10 * time.Second - closeGracePeriod = 10 * time.Second - maxMessageSize = 8192 + pendingLogCheckInterval = 1 //seconds + writeWait = 10 * time.Second + closeGracePeriod = 10 * time.Second + maxMessageSize = 8192 ) func ReadLogs(appName string, workloadID string, verbose bool, socket *websocket.Conn) { @@ -80,7 +81,7 @@ func ReadLogs(appName string, workloadID string, verbose bool, socket *websocket getKubectlLogs(&podMap[k8s.PodStatusKilledOOM][0], verbose, wrotePending, false, socket) case len(podMap[k8s.PodStatusFailed]) > 0: previous := false - if pods[0].Labels["workloadType"] == WorkloadTypeAPI { + if pods[0].Labels["workloadType"] == workloadTypeAPI { previous = true } getKubectlLogs(&podMap[k8s.PodStatusFailed][0], verbose, wrotePending, previous, socket) @@ -94,9 +95,12 @@ func ReadLogs(appName string, workloadID string, verbose bool, socket *websocket return } - wf, _ := GetWorkflow(appName) - pWf, _ := parseWorkflow(wf) - if pWf == nil || pWf.Workloads[workloadID] == nil { + isPending, err := IsWorkloadPending(appName, workloadID) + if err != nil { + writeSocket(err.Error(), socket) + return + } + if !isPending { logPrefix, err := getSavedLogPrefix(workloadID, appName, true) if err != nil { writeSocket(err.Error(), socket) @@ -109,19 +113,6 @@ func ReadLogs(appName string, workloadID string, verbose bool, socket *websocket return } - failedArgoPod, err := getFailedArgoPodForWorkload(workloadID, appName) - if err != nil { - writeSocket(err.Error(), socket) - return - } - if failedArgoPod != nil { - if !writeSocket("\nFailed to start:\n", socket) { - return - } - getKubectlLogs(failedArgoPod, true, false, false, socket) - return - } - if !wrotePending { if !writeSocket("\nPending", socket) { return @@ -129,7 +120,7 @@ func ReadLogs(appName string, workloadID string, verbose bool, socket *websocket wrotePending = true } - time.Sleep(time.Duration(userFacingCheckInterval) * time.Second) + time.Sleep(time.Duration(pendingLogCheckInterval) * time.Second) } } @@ -151,7 +142,7 @@ func getKubectlLogs(pod *kcore.Pod, verbose bool, wrotePending bool, previous bo } args = append(args, pod.Name) - if pod.Labels["workloadType"] == WorkloadTypeAPI && pod.Labels["userFacing"] == "true" { + if pod.Labels["workloadType"] == workloadTypeAPI && pod.Labels["userFacing"] == "true" { args = append(args, apiContainerName) } diff --git a/pkg/operator/workloads/parsed_workflow.go b/pkg/operator/workloads/parsed_workflow.go deleted file mode 100644 index ac0ab2d934..0000000000 --- a/pkg/operator/workloads/parsed_workflow.go +++ /dev/null @@ -1,143 +0,0 @@ -/* -Copyright 2019 Cortex Labs, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package workloads - -import ( - "time" - - argowf "github.com/argoproj/argo/pkg/apis/workflow/v1alpha1" - kcore "k8s.io/api/core/v1" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/cortexlabs/cortex/pkg/lib/argo" - "github.com/cortexlabs/cortex/pkg/lib/errors" - "github.com/cortexlabs/cortex/pkg/lib/k8s" - "github.com/cortexlabs/cortex/pkg/lib/sets/strset" - "github.com/cortexlabs/cortex/pkg/operator/config" -) - -type WorkflowItem struct { - WorkloadID string - WorkloadType string - StartedAt *time.Time - FinishedAt *time.Time - ArgoPhase *argowf.NodePhase - DirectDependencies strset.Set - AllDependencies strset.Set -} - -type ParsedWorkflow struct { - Workloads map[string]*WorkflowItem // workloadID -> *WorkflowItem - Wf *argowf.Workflow -} - -func parseWorkflow(wf *argowf.Workflow) (*ParsedWorkflow, error) { - if wf == nil { - return nil, nil - } - - pWf := &ParsedWorkflow{ - Workloads: map[string]*WorkflowItem{}, - Wf: wf, - } - - for _, argoWfItem := range argo.ParseWorkflow(wf) { - workloadID := argoWfItem.Labels["workloadID"] - workloadType := argoWfItem.Labels["workloadType"] - if workloadID == "" || workloadType == "" { - continue - } - - pWf.Workloads[workloadID] = &WorkflowItem{ - WorkloadID: workloadID, - WorkloadType: workloadType, - StartedAt: argoWfItem.StartedAt(), - FinishedAt: argoWfItem.FinishedAt(), - ArgoPhase: argoWfItem.Phase(), - DirectDependencies: argoWfItem.Dependencies(), - } - } - - for workloadID, wfItem := range pWf.Workloads { - allDependencies, err := getAllDependencies(workloadID, pWf.Workloads) - if err != nil { - return nil, err - } - wfItem.AllDependencies = allDependencies - } - - return pWf, nil -} - -func getAllDependencies(workloadID string, workloads map[string]*WorkflowItem) (strset.Set, error) { - wfItem, ok := workloads[workloadID] - if !ok { - return nil, errors.Wrap(ErrorNotFound(), "workload", workloadID) - } - allDependencies := strset.New() - if len(wfItem.DirectDependencies) == 0 { - return allDependencies, nil - } - for dependency := range wfItem.DirectDependencies { - allDependencies.Add(dependency) - subDependencies, err := getAllDependencies(dependency, workloads) - if err != nil { - return nil, err - } - allDependencies.Merge(subDependencies) - } - return allDependencies, nil -} - -func getFailedArgoWorkloadIDs(appName string) (strset.Set, error) { - failedArgoPods, err := config.Kubernetes.ListPods(&kmeta.ListOptions{ - FieldSelector: "status.phase=Failed", - LabelSelector: k8s.LabelSelector(map[string]string{ - "appName": appName, - "argo": "true", - }), - }) - if err != nil { - return nil, err - } - - failedWorkloadIDs := strset.New() - for _, pod := range failedArgoPods { - failedWorkloadIDs.Add(pod.Labels["workloadID"]) - } - return failedWorkloadIDs, nil -} - -func getFailedArgoPodForWorkload(workloadID string, appName string) (*kcore.Pod, error) { - failedArgoPods, err := config.Kubernetes.ListPods(&kmeta.ListOptions{ - FieldSelector: "status.phase=Failed", - LabelSelector: k8s.LabelSelector(map[string]string{ - "appName": appName, - "workloadID": workloadID, - "argo": "true", - }), - }) - if err != nil { - return nil, err - } - - if len(failedArgoPods) == 0 { - return nil, nil - } - - return &failedArgoPods[0], nil -} diff --git a/pkg/operator/workloads/python_package_job.go b/pkg/operator/workloads/python_package_job.go deleted file mode 100644 index 6eed89740d..0000000000 --- a/pkg/operator/workloads/python_package_job.go +++ /dev/null @@ -1,109 +0,0 @@ -/* -Copyright 2019 Cortex Labs, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package workloads - -import ( - "strings" - - kbatch "k8s.io/api/batch/v1" - kcore "k8s.io/api/core/v1" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/cortexlabs/cortex/pkg/consts" - "github.com/cortexlabs/cortex/pkg/lib/argo" - "github.com/cortexlabs/cortex/pkg/lib/k8s" - "github.com/cortexlabs/cortex/pkg/lib/sets/strset" - "github.com/cortexlabs/cortex/pkg/operator/api/context" - "github.com/cortexlabs/cortex/pkg/operator/config" -) - -func pythonPackageJobSpec(ctx *context.Context, pythonPackages strset.Set, workloadID string) *kbatch.Job { - spec := k8s.Job(&k8s.JobSpec{ - Name: workloadID, - Labels: map[string]string{ - "appName": ctx.App.Name, - "workloadType": workloadTypePythonPackager, - "workloadID": workloadID, - }, - PodSpec: k8s.PodSpec{ - Labels: map[string]string{ - "appName": ctx.App.Name, - "workloadType": workloadTypePythonPackager, - "workloadID": workloadID, - "userFacing": "true", - }, - K8sPodSpec: kcore.PodSpec{ - RestartPolicy: "Never", - Containers: []kcore.Container{ - { - Name: "python-packager", - Image: config.Cortex.PythonPackagerImage, - ImagePullPolicy: "Always", - Args: []string{ - "--workload-id=" + workloadID, - "--context=" + config.AWS.S3Path(ctx.Key), - "--cache-dir=" + consts.ContextCacheDir, - "--python-packages=" + strings.Join(pythonPackages.Slice(), ","), - "--build", - }, - Env: k8s.AWSCredentials(), - VolumeMounts: k8s.DefaultVolumeMounts(), - }, - }, - Volumes: k8s.DefaultVolumes(), - ServiceAccountName: "default", - }, - }, - Namespace: config.Cortex.Namespace, - }) - argo.EnableGC(spec) - return spec -} - -func pythonPackageWorkloadSpecs(ctx *context.Context) ([]*WorkloadSpec, error) { - resourceIDs := strset.New() - - for _, pythonPackage := range ctx.PythonPackages { - isPythonPackageCached, err := checkResourceCached(pythonPackage, ctx) - if err != nil { - return nil, err - } - if isPythonPackageCached { - continue - } - resourceIDs.Add(pythonPackage.GetID()) - } - - if len(resourceIDs) == 0 { - return nil, nil - } - - workloadID := generateWorkloadID() - - spec := pythonPackageJobSpec(ctx, resourceIDs, workloadID) - workloadSpec := &WorkloadSpec{ - WorkloadID: workloadID, - ResourceIDs: resourceIDs, - K8sSpecs: []kmeta.Object{spec}, - K8sAction: "create", - SuccessCondition: k8s.JobSuccessCondition, - FailureCondition: k8s.JobFailureCondition, - WorkloadType: workloadTypePythonPackager, - } - - return []*WorkloadSpec{workloadSpec}, nil -} diff --git a/pkg/operator/workloads/python_package_workload.go b/pkg/operator/workloads/python_package_workload.go new file mode 100644 index 0000000000..0ed226de81 --- /dev/null +++ b/pkg/operator/workloads/python_package_workload.go @@ -0,0 +1,124 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package workloads + +import ( + "strings" + + kcore "k8s.io/api/core/v1" + + "github.com/cortexlabs/cortex/pkg/consts" + "github.com/cortexlabs/cortex/pkg/lib/k8s" + "github.com/cortexlabs/cortex/pkg/operator/api/context" + "github.com/cortexlabs/cortex/pkg/operator/config" +) + +type PythonPackagesWorkload struct { + BaseWorkload +} + +func populatePythonPackageWorkloadIDs(ctx *context.Context, latestResourceWorkloadIDs map[string]string) { + pythonPackagesWorkloadID := generateWorkloadID() + + for _, pythonPackage := range ctx.PythonPackages { + if pythonPackage.WorkloadID != "" { + continue + } + if workloadID := latestResourceWorkloadIDs[pythonPackage.ID]; workloadID != "" { + pythonPackage.WorkloadID = workloadID + continue + } + pythonPackage.WorkloadID = pythonPackagesWorkloadID + } +} + +func extractPythonPackageWorkloads(ctx *context.Context) []Workload { + workloadMap := make(map[string]*PythonPackagesWorkload) + for _, pythonPackage := range ctx.PythonPackages { + if _, ok := workloadMap[pythonPackage.WorkloadID]; !ok { + workloadMap[pythonPackage.WorkloadID] = &PythonPackagesWorkload{ + emptyBaseWorkload(ctx.App.Name, pythonPackage.WorkloadID, workloadTypePythonPackager), + } + } + workloadMap[pythonPackage.WorkloadID].AddResource(pythonPackage) + } + + workloads := make([]Workload, 0, len(workloadMap)) + for _, workload := range workloadMap { + workloads = append(workloads, workload) + } + return workloads +} + +func (pyw *PythonPackagesWorkload) Start(ctx *context.Context) error { + spec := &k8s.JobSpec{ + Name: pyw.WorkloadID, + Labels: map[string]string{ + "appName": ctx.App.Name, + "workloadType": workloadTypePythonPackager, + "workloadID": pyw.WorkloadID, + }, + PodSpec: k8s.PodSpec{ + Labels: map[string]string{ + "appName": ctx.App.Name, + "workloadType": workloadTypePythonPackager, + "workloadID": pyw.WorkloadID, + "userFacing": "true", + }, + K8sPodSpec: kcore.PodSpec{ + RestartPolicy: "Never", + Containers: []kcore.Container{ + { + Name: "python-packager", + Image: config.Cortex.PythonPackagerImage, + ImagePullPolicy: "Always", + Args: []string{ + "--workload-id=" + pyw.WorkloadID, + "--context=" + config.AWS.S3Path(ctx.Key), + "--cache-dir=" + consts.ContextCacheDir, + "--python-packages=" + strings.Join(pyw.GetResourceIDs().Slice(), ","), + "--build", + }, + Env: k8s.AWSCredentials(), + VolumeMounts: k8s.DefaultVolumeMounts(), + }, + }, + Volumes: k8s.DefaultVolumes(), + ServiceAccountName: "default", + }, + }, + Namespace: config.Cortex.Namespace, + } + + _, err := config.Kubernetes.CreateJob(k8s.Job(spec)) + if err != nil { + return err + } + return nil +} + +func (pyw *PythonPackagesWorkload) IsRunning(ctx *context.Context) (bool, error) { + return config.Kubernetes.IsJobRunning(pyw.WorkloadID) +} + +func (pyw *PythonPackagesWorkload) CanRun(ctx *context.Context) (bool, error) { + return areDataDependenciesSucceeded(ctx, pyw.GetResourceIDs()) +} + +func (pyw *PythonPackagesWorkload) IsSucceeded(ctx *context.Context) (bool, error) { + return areDataResourcesSucceeded(ctx, pyw.GetResourceIDs()) +} diff --git a/pkg/operator/workloads/saved_base_workload.go b/pkg/operator/workloads/saved_base_workload.go new file mode 100644 index 0000000000..f87773455a --- /dev/null +++ b/pkg/operator/workloads/saved_base_workload.go @@ -0,0 +1,112 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package workloads + +import ( + "github.com/cortexlabs/cortex/pkg/lib/aws" + "github.com/cortexlabs/cortex/pkg/lib/errors" + "github.com/cortexlabs/cortex/pkg/lib/parallel" + "github.com/cortexlabs/cortex/pkg/operator/config" + ocontext "github.com/cortexlabs/cortex/pkg/operator/context" +) + +func uploadBaseWorkload(baseWorkload *BaseWorkload) error { + if isBaseWorkloadCached(baseWorkload) { + return nil + } + + key := ocontext.BaseWorkloadKey(baseWorkload.WorkloadID, baseWorkload.AppName) + err := config.AWS.UploadJSONToS3(baseWorkload, key) + if err != nil { + return errors.Wrap(err, "upload base workload", baseWorkload.AppName, baseWorkload.WorkloadID) + } + cacheBaseWorkload(baseWorkload) + return nil +} + +func uploadBaseWorkloads(baseWorkloads []*BaseWorkload) error { + fns := make([]func() error, len(baseWorkloads)) + for i, baseWorkload := range baseWorkloads { + fns[i] = uploadBaseWorkloadFunc(baseWorkload) + } + return parallel.RunFirstErr(fns...) +} + +func uploadBaseWorkloadsFromWorkloads(workloads []Workload) error { + fns := make([]func() error, len(workloads)) + for i, workload := range workloads { + fns[i] = uploadBaseWorkloadFunc(workload.GetBaseWorkloadPtr()) + } + return parallel.RunFirstErr(fns...) +} + +func uploadBaseWorkloadFunc(baseWorkload *BaseWorkload) func() error { + return func() error { + return uploadBaseWorkload(baseWorkload) + } +} + +func getSavedBaseWorkload(workloadID string, appName string) (*BaseWorkload, error) { + if cachedBaseWorkload, ok := getCachedBaseWorkload(workloadID, appName); ok { + return cachedBaseWorkload, nil + } + + key := ocontext.BaseWorkloadKey(workloadID, appName) + var baseWorkload BaseWorkload + err := config.AWS.ReadJSONFromS3(&baseWorkload, key) + if aws.IsNoSuchKeyErr(err) { + return nil, nil + } + if err != nil { + return nil, errors.Wrap(err, "download base workload", appName, workloadID) + } + cacheBaseWorkload(&baseWorkload) + return &baseWorkload, nil +} + +func getSavedBaseWorkloads(workloadIDs []string, appName string) (map[string]*BaseWorkload, error) { + baseWorkloads := make([]*BaseWorkload, len(workloadIDs)) + fns := make([]func() error, len(workloadIDs)) + i := 0 + for _, workloadID := range workloadIDs { + fns[i] = getSavedBaseWorkloadFunc(workloadID, appName, baseWorkloads, i) + i++ + } + err := parallel.RunFirstErr(fns...) + if err != nil { + return nil, err + } + + baseWorkloadMap := make(map[string]*BaseWorkload) + for _, baseWorkload := range baseWorkloads { + if baseWorkload != nil { + baseWorkloadMap[baseWorkload.WorkloadID] = baseWorkload + } + } + return baseWorkloadMap, err +} + +func getSavedBaseWorkloadFunc(workloadID string, appName string, baseWorkloads []*BaseWorkload, i int) func() error { + return func() error { + baseWorkload, err := getSavedBaseWorkload(workloadID, appName) + if err != nil { + return err + } + baseWorkloads[i] = baseWorkload + return nil + } +} diff --git a/pkg/operator/workloads/saved_base_workload_cache.go b/pkg/operator/workloads/saved_base_workload_cache.go new file mode 100644 index 0000000000..e93617054f --- /dev/null +++ b/pkg/operator/workloads/saved_base_workload_cache.go @@ -0,0 +1,73 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package workloads + +import ( + "sync" + + "github.com/cortexlabs/cortex/pkg/lib/sets/strset" +) + +// appName -> map(workloadID -> *BaseWorkload) +var baseWorkloadCache = struct { + m map[string]map[string]*BaseWorkload + sync.RWMutex +}{m: make(map[string]map[string]*BaseWorkload)} + +func getCachedBaseWorkload(workloadID string, appName string) (*BaseWorkload, bool) { + baseWorkloadCache.RLock() + defer baseWorkloadCache.RUnlock() + if _, ok := baseWorkloadCache.m[appName]; ok { + if baseWorkload, ok := baseWorkloadCache.m[appName][workloadID]; ok { + if baseWorkload != nil { + return baseWorkload.Copy(), true + } + } + } + return nil, false +} + +func isBaseWorkloadCached(baseWorkload *BaseWorkload) bool { + cachedBaseWorkload, _ := getCachedBaseWorkload(baseWorkload.WorkloadID, baseWorkload.AppName) + return BaseWorkloadPtrsEqual(baseWorkload, cachedBaseWorkload) +} + +func cacheBaseWorkload(baseWorkload *BaseWorkload) { + baseWorkloadCache.Lock() + defer baseWorkloadCache.Unlock() + if _, ok := baseWorkloadCache.m[baseWorkload.AppName]; !ok { + baseWorkloadCache.m[baseWorkload.AppName] = make(map[string]*BaseWorkload) + } + baseWorkloadCache.m[baseWorkload.AppName][baseWorkload.WorkloadID] = baseWorkload.Copy() +} + +// app name -> workload IDs +func uncacheBaseWorkloads(currentWorkloadIDs map[string]strset.Set) { + baseWorkloadCache.Lock() + defer baseWorkloadCache.Unlock() + for appName := range baseWorkloadCache.m { + if _, ok := currentWorkloadIDs[appName]; !ok { + delete(baseWorkloadCache.m, appName) + } else { + for workloadID := range baseWorkloadCache.m[appName] { + if !currentWorkloadIDs[appName].Has(workloadID) { + delete(baseWorkloadCache.m[appName], workloadID) + } + } + } + } +} diff --git a/pkg/operator/workloads/shared.go b/pkg/operator/workloads/shared.go index 560075b898..7be632ea9a 100644 --- a/pkg/operator/workloads/shared.go +++ b/pkg/operator/workloads/shared.go @@ -18,27 +18,39 @@ package workloads import ( "github.com/cortexlabs/cortex/pkg/lib/random" + "github.com/cortexlabs/cortex/pkg/lib/sets/strset" "github.com/cortexlabs/cortex/pkg/operator/api/context" "github.com/cortexlabs/cortex/pkg/operator/api/resource" ) +// k8s needs all characters to be lower case, and the first to be a letter func generateWorkloadID() string { - // k8s needs all characters to be lower case, and the first to be a letter return random.LowercaseLetters(1) + random.LowercaseString(19) } -func checkResourceCached(res context.ComputedResource, ctx *context.Context) (bool, error) { - workloadID := res.GetWorkloadID() - if workloadID == "" { - return false, nil +// Check if all resourceIDs have succeeded (only data resource types) +func areDataResourcesSucceeded(ctx *context.Context, resourceIDs strset.Set) (bool, error) { + resourceWorkloadIDs := ctx.DataResourceWorkloadIDs() + for resourceID := range resourceIDs { + workloadID := resourceWorkloadIDs[resourceID] + if workloadID == "" { + continue + } + + savedStatus, err := getDataSavedStatus(resourceID, workloadID, ctx.App.Name) + if err != nil { + return false, err + } + + if savedStatus == nil || savedStatus.ExitCode != resource.ExitCodeDataSucceeded { + return false, nil + } } + return true, nil +} - savedStatus, err := getDataSavedStatus(res.GetID(), workloadID, ctx.App.Name) - if err != nil { - return false, err - } - if savedStatus != nil && savedStatus.ExitCode == resource.ExitCodeDataSucceeded { - return true, nil - } - return false, nil +// Check if all dependencies of targetResourceIDs have succeeded (only data resource types) +func areDataDependenciesSucceeded(ctx *context.Context, targetResourceIDs strset.Set) (bool, error) { + dependencies := ctx.DirectComputedResourceDependencies(targetResourceIDs.Slice()...) + return areDataResourcesSucceeded(ctx, dependencies) } diff --git a/pkg/operator/workloads/data_job.go b/pkg/operator/workloads/spark_workload.go similarity index 55% rename from pkg/operator/workloads/data_job.go rename to pkg/operator/workloads/spark_workload.go index 0e119ed122..51523b6b2e 100644 --- a/pkg/operator/workloads/data_job.go +++ b/pkg/operator/workloads/spark_workload.go @@ -21,11 +21,8 @@ import ( "strings" sparkop "github.com/GoogleCloudPlatform/spark-on-k8s-operator/pkg/apis/sparkoperator.k8s.io/v1alpha1" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/cortexlabs/cortex/pkg/consts" - "github.com/cortexlabs/cortex/pkg/lib/argo" - "github.com/cortexlabs/cortex/pkg/lib/aws" "github.com/cortexlabs/cortex/pkg/lib/errors" "github.com/cortexlabs/cortex/pkg/lib/pointer" "github.com/cortexlabs/cortex/pkg/lib/sets/strset" @@ -36,16 +33,112 @@ import ( "github.com/cortexlabs/cortex/pkg/operator/config" ) -func dataJobSpec( - ctx *context.Context, - shouldIngest bool, - rawColumns strset.Set, - aggregates strset.Set, - transformedColumns strset.Set, - trainingDatasets strset.Set, - workloadID string, - sparkCompute *userconfig.SparkCompute, -) *sparkop.SparkApplication { +type SparkWorkload struct { + BaseWorkload +} + +func sparkResources(ctx *context.Context) []context.ComputedResource { + var sparkResources []context.ComputedResource + for _, rawColumn := range ctx.RawColumns { + sparkResources = append(sparkResources, rawColumn) + } + for _, aggregate := range ctx.Aggregates { + sparkResources = append(sparkResources, aggregate) + } + for _, transformedColumn := range ctx.TransformedColumns { + sparkResources = append(sparkResources, transformedColumn) + } + for _, model := range ctx.Models { + sparkResources = append(sparkResources, model.Dataset) + } + return sparkResources +} + +func populateSparkWorkloadIDs(ctx *context.Context, latestResourceWorkloadIDs map[string]string) { + sparkWorkloadID := generateWorkloadID() + for _, res := range sparkResources(ctx) { + if res.GetWorkloadID() != "" { + continue + } + if workloadID := latestResourceWorkloadIDs[res.GetID()]; workloadID != "" { + res.SetWorkloadID(workloadID) + continue + } + res.SetWorkloadID(sparkWorkloadID) + } +} + +func extractSparkWorkloads(ctx *context.Context) []Workload { + workloadMap := make(map[string]*SparkWorkload) + + for _, res := range sparkResources(ctx) { + if _, ok := workloadMap[res.GetWorkloadID()]; !ok { + workloadMap[res.GetWorkloadID()] = &SparkWorkload{ + emptyBaseWorkload(ctx.App.Name, res.GetWorkloadID(), workloadTypeSpark), + } + } + workloadMap[res.GetWorkloadID()].AddResource(res) + } + + workloads := make([]Workload, 0, len(workloadMap)) + for _, workload := range workloadMap { + workloads = append(workloads, workload) + } + return workloads +} + +func (sw *SparkWorkload) Start(ctx *context.Context) error { + rawDatasetExists, err := config.AWS.IsS3File(filepath.Join(ctx.RawDataset.Key, "_SUCCESS")) + if err != nil { + return errors.Wrap(err, ctx.App.Name, "raw dataset") + } + shouldIngest := !rawDatasetExists + + rawColumns := strset.New() + aggregates := strset.New() + transformedColumns := strset.New() + trainingDatasets := strset.New() + + var sparkCompute *userconfig.SparkCompute + + if shouldIngest { + for _, rawColumn := range ctx.RawColumns { + sparkCompute = userconfig.MaxSparkCompute(sparkCompute, rawColumn.GetCompute()) + } + } + + for _, rawColumn := range ctx.RawColumns { + if sw.CreatesResource(rawColumn.GetID()) { + rawColumns.Add(rawColumn.GetID()) + sparkCompute = userconfig.MaxSparkCompute(sparkCompute, rawColumn.GetCompute()) + } + } + for _, aggregate := range ctx.Aggregates { + if sw.CreatesResource(aggregate.ID) { + aggregates.Add(aggregate.ID) + sparkCompute = userconfig.MaxSparkCompute(sparkCompute, aggregate.Compute) + } + } + for _, transformedColumn := range ctx.TransformedColumns { + if sw.CreatesResource(transformedColumn.ID) { + transformedColumns.Add(transformedColumn.ID) + sparkCompute = userconfig.MaxSparkCompute(sparkCompute, transformedColumn.Compute) + } + } + for _, model := range ctx.Models { + dataset := model.Dataset + if sw.CreatesResource(dataset.ID) { + trainingDatasets.Add(dataset.ID) + sparkCompute = userconfig.MaxSparkCompute(sparkCompute, model.DatasetCompute) + + dependencyIDs := ctx.AllComputedResourceDependencies(dataset.ID) + for _, transformedColumn := range ctx.TransformedColumns { + if _, ok := dependencyIDs[transformedColumn.ID]; ok { + sparkCompute = userconfig.MaxSparkCompute(sparkCompute, transformedColumn.Compute) + } + } + } + } args := []string{ "--raw-columns=" + strings.Join(rawColumns.Slice(), ","), @@ -56,12 +149,24 @@ func dataJobSpec( if shouldIngest { args = append(args, "--ingest") } - spec := sparkSpec(workloadID, ctx, workloadTypeData, sparkCompute, args...) - argo.EnableGC(spec) - return spec + + spec := sparkSpec(sw.WorkloadID, ctx, workloadTypeSpark, sparkCompute, args...) + _, err = config.Spark.Create(spec) + if err != nil { + return err + } + + return nil } -func sparkSpec(workloadID string, ctx *context.Context, workloadType string, sparkCompute *userconfig.SparkCompute, args ...string) *sparkop.SparkApplication { +func sparkSpec( + workloadID string, + ctx *context.Context, + workloadType string, + sparkCompute *userconfig.SparkCompute, + args ...string, +) *sparkop.SparkApplication { + var driverMemOverhead *string if sparkCompute.DriverMemOverhead != nil { driverMemOverhead = pointer.String(s.Int64(sparkCompute.DriverMemOverhead.ToKi()) + "k") @@ -75,19 +180,13 @@ func sparkSpec(workloadID string, ctx *context.Context, workloadType string, spa memOverheadFactor = pointer.String(s.Float64(*sparkCompute.MemOverheadFactor)) } - return &sparkop.SparkApplication{ - TypeMeta: kmeta.TypeMeta{ - APIVersion: "sparkoperator.k8s.io/v1alpha1", - Kind: "SparkApplication", - }, - ObjectMeta: kmeta.ObjectMeta{ - Name: workloadID, - Namespace: config.Cortex.Namespace, - Labels: map[string]string{ - "workloadID": workloadID, - "workloadType": workloadType, - "appName": ctx.App.Name, - }, + return spark.App(&spark.Spec{ + Name: workloadID, + Namespace: config.Cortex.Namespace, + Labels: map[string]string{ + "workloadID": workloadID, + "workloadType": workloadType, + "appName": ctx.App.Name, }, Spec: sparkop.SparkApplicationSpec{ Type: sparkop.PythonApplicationType, @@ -169,115 +268,17 @@ func sparkSpec(workloadID string, ctx *context.Context, workloadType string, spa Instances: &sparkCompute.Executors, }, }, - } + }) } -func dataWorkloadSpecs(ctx *context.Context) ([]*WorkloadSpec, error) { - workloadID := generateWorkloadID() - - rawFileExists, err := config.AWS.IsS3File(filepath.Join(ctx.RawDataset.Key, "_SUCCESS")) - if err != nil { - return nil, errors.Wrap(err, ctx.App.Name, "raw dataset") - } - - var allComputes []*userconfig.SparkCompute - - shouldIngest := !rawFileExists - if shouldIngest { - externalPath := ctx.Environment.Data.GetPath() - externalDataExists, err := aws.IsS3aPathPrefixExternal(externalPath) - if !externalDataExists || err != nil { - return nil, errors.Wrap(userconfig.ErrorExternalNotFound(externalPath), ctx.App.Name, userconfig.Identify(ctx.Environment), userconfig.DataKey, userconfig.PathKey) - } - for _, rawColumn := range ctx.RawColumns { - allComputes = append(allComputes, rawColumn.GetCompute()) - } - } - - rawColumnIDs := strset.New() - var rawColumns []string - for rawColumnName, rawColumn := range ctx.RawColumns { - isCached, err := checkResourceCached(rawColumn, ctx) - if err != nil { - return nil, err - } - if isCached { - continue - } - rawColumns = append(rawColumns, rawColumnName) - rawColumnIDs.Add(rawColumn.GetID()) - allComputes = append(allComputes, rawColumn.GetCompute()) - } - - aggregateIDs := strset.New() - var aggregates []string - for aggregateName, aggregate := range ctx.Aggregates { - isCached, err := checkResourceCached(aggregate, ctx) - if err != nil { - return nil, err - } - if isCached { - continue - } - aggregates = append(aggregates, aggregateName) - aggregateIDs.Add(aggregate.GetID()) - allComputes = append(allComputes, aggregate.Compute) - } - - transformedColumnIDs := strset.New() - var transformedColumns []string - for transformedColumnName, transformedColumn := range ctx.TransformedColumns { - isCached, err := checkResourceCached(transformedColumn, ctx) - if err != nil { - return nil, err - } - if isCached { - continue - } - transformedColumns = append(transformedColumns, transformedColumnName) - transformedColumnIDs.Add(transformedColumn.GetID()) - allComputes = append(allComputes, transformedColumn.Compute) - } - - trainingDatasetIDs := strset.New() - var trainingDatasets []string - for modelName, model := range ctx.Models { - dataset := model.Dataset - isCached, err := checkResourceCached(dataset, ctx) - if err != nil { - return nil, err - } - if isCached { - continue - } - trainingDatasets = append(trainingDatasets, modelName) - trainingDatasetIDs.Add(dataset.GetID()) - dependencyIDs := ctx.AllComputedResourceDependencies(dataset.GetID()) - for _, transformedColumn := range ctx.TransformedColumns { - if _, ok := dependencyIDs[transformedColumn.ID]; ok { - allComputes = append(allComputes, transformedColumn.Compute) - } - } - allComputes = append(allComputes, model.DatasetCompute) - } - - resourceIDSet := strset.Union(rawColumnIDs, aggregateIDs, transformedColumnIDs, trainingDatasetIDs) - - if !shouldIngest && len(resourceIDSet) == 0 { - return nil, nil - } +func (sw *SparkWorkload) IsRunning(ctx *context.Context) (bool, error) { + return config.Spark.IsRunning(sw.WorkloadID) +} - sparkCompute := userconfig.MaxSparkCompute(allComputes...) - spec := dataJobSpec(ctx, shouldIngest, rawColumnIDs, aggregateIDs, transformedColumnIDs, trainingDatasetIDs, workloadID, sparkCompute) +func (sw *SparkWorkload) CanRun(ctx *context.Context) (bool, error) { + return areDataDependenciesSucceeded(ctx, sw.GetResourceIDs()) +} - workloadSpec := &WorkloadSpec{ - WorkloadID: workloadID, - ResourceIDs: resourceIDSet, - K8sSpecs: []kmeta.Object{spec}, - K8sAction: "create", - SuccessCondition: spark.SuccessCondition, - FailureCondition: spark.FailureCondition, - WorkloadType: workloadTypeData, - } - return []*WorkloadSpec{workloadSpec}, nil +func (sw *SparkWorkload) IsSucceeded(ctx *context.Context) (bool, error) { + return areDataResourcesSucceeded(ctx, sw.GetResourceIDs()) } diff --git a/pkg/operator/workloads/training_job.go b/pkg/operator/workloads/training_workload.go similarity index 56% rename from pkg/operator/workloads/training_job.go rename to pkg/operator/workloads/training_workload.go index 0ab4140741..997362e3f7 100644 --- a/pkg/operator/workloads/training_job.go +++ b/pkg/operator/workloads/training_workload.go @@ -17,13 +17,10 @@ limitations under the License. package workloads import ( - kbatch "k8s.io/api/batch/v1" kcore "k8s.io/api/core/v1" kresource "k8s.io/apimachinery/pkg/api/resource" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/cortexlabs/cortex/pkg/consts" - "github.com/cortexlabs/cortex/pkg/lib/argo" "github.com/cortexlabs/cortex/pkg/lib/k8s" "github.com/cortexlabs/cortex/pkg/lib/sets/strset" "github.com/cortexlabs/cortex/pkg/operator/api/context" @@ -31,12 +28,54 @@ import ( "github.com/cortexlabs/cortex/pkg/operator/config" ) -func trainingJobSpec( - ctx *context.Context, - modelID string, - workloadID string, - tfCompute *userconfig.TFCompute, -) *kbatch.Job { +type TrainingWorkload struct { + BaseWorkload +} + +func populateTrainingWorkloadIDs(ctx *context.Context, latestResourceWorkloadIDs map[string]string) { + trainingWorkloadIDs := make(map[string]string) + + for _, model := range ctx.Models { + if model.WorkloadID != "" { + continue + } + if workloadID := latestResourceWorkloadIDs[model.ID]; workloadID != "" { + model.WorkloadID = workloadID + continue + } + if workloadID, ok := trainingWorkloadIDs[model.ID]; ok { + // This is a duplicate model ID (different name) + model.WorkloadID = workloadID + continue + } + model.WorkloadID = generateWorkloadID() + trainingWorkloadIDs[model.ID] = model.WorkloadID + } +} + +func extractTrainingWorkloads(ctx *context.Context) []Workload { + workloads := make([]Workload, 0, len(ctx.Models)) + modelIDs := strset.New() + + for _, model := range ctx.Models { + if !modelIDs.Has(model.ID) { + workloads = append(workloads, &TrainingWorkload{ + singleBaseWorkload(model, ctx.App.Name, workloadTypeTrain), + }) + modelIDs.Add(model.ID) + } + } + + return workloads +} + +func (tw *TrainingWorkload) Start(ctx *context.Context) error { + var tfCompute *userconfig.TFCompute + for _, model := range ctx.Models { + if tw.CreatesResource(model.ID) { + tfCompute = userconfig.MaxTFCompute(tfCompute, model.Compute) + } + } resourceList := kcore.ResourceList{} limitsList := kcore.ResourceList{} @@ -52,18 +91,18 @@ func trainingJobSpec( limitsList["nvidia.com/gpu"] = *kresource.NewQuantity(tfCompute.GPU, kresource.DecimalSI) } - spec := k8s.Job(&k8s.JobSpec{ - Name: workloadID, + spec := &k8s.JobSpec{ + Name: tw.WorkloadID, Labels: map[string]string{ "appName": ctx.App.Name, "workloadType": workloadTypeTrain, - "workloadID": workloadID, + "workloadID": tw.WorkloadID, }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ "appName": ctx.App.Name, "workloadType": workloadTypeTrain, - "workloadID": workloadID, + "workloadID": tw.WorkloadID, "userFacing": "true", }, K8sPodSpec: kcore.PodSpec{ @@ -74,10 +113,10 @@ func trainingJobSpec( Image: trainImage, ImagePullPolicy: "Always", Args: []string{ - "--workload-id=" + workloadID, + "--workload-id=" + tw.WorkloadID, "--context=" + config.AWS.S3Path(ctx.Key), "--cache-dir=" + consts.ContextCacheDir, - "--model=" + modelID, + "--model=" + tw.GetSingleResourceID(), }, Env: k8s.AWSCredentials(), VolumeMounts: k8s.DefaultVolumeMounts(), @@ -92,42 +131,23 @@ func trainingJobSpec( }, }, Namespace: config.Cortex.Namespace, - }) - argo.EnableGC(spec) - return spec -} - -func trainingWorkloadSpecs(ctx *context.Context) ([]*WorkloadSpec, error) { - modelsToTrain := make(map[string]*userconfig.TFCompute) - for _, model := range ctx.Models { - modelCached, err := checkResourceCached(model, ctx) - if err != nil { - return nil, err - } - if modelCached { - continue - } - - if tfCompute, ok := modelsToTrain[model.ID]; ok { - modelsToTrain[model.ID] = userconfig.MaxTFCompute(tfCompute, model.Compute) - } else { - modelsToTrain[model.ID] = model.Compute - } } - var workloadSpecs []*WorkloadSpec - for modelID, tfCompute := range modelsToTrain { - workloadID := generateWorkloadID() - workloadSpecs = append(workloadSpecs, &WorkloadSpec{ - WorkloadID: workloadID, - ResourceIDs: strset.New(modelID), - K8sSpecs: []kmeta.Object{trainingJobSpec(ctx, modelID, workloadID, tfCompute)}, - K8sAction: "create", - SuccessCondition: k8s.JobSuccessCondition, - FailureCondition: k8s.JobFailureCondition, - WorkloadType: workloadTypeTrain, - }) + _, err := config.Kubernetes.CreateJob(k8s.Job(spec)) + if err != nil { + return err } + return nil +} + +func (tw *TrainingWorkload) IsRunning(ctx *context.Context) (bool, error) { + return config.Kubernetes.IsJobRunning(tw.WorkloadID) +} + +func (tw *TrainingWorkload) CanRun(ctx *context.Context) (bool, error) { + return areDataDependenciesSucceeded(ctx, tw.GetResourceIDs()) +} - return workloadSpecs, nil +func (tw *TrainingWorkload) IsSucceeded(ctx *context.Context) (bool, error) { + return areDataResourcesSucceeded(ctx, tw.GetResourceIDs()) } diff --git a/pkg/operator/workloads/workflow.go b/pkg/operator/workloads/workflow.go index 526d71ee4f..58055f7090 100644 --- a/pkg/operator/workloads/workflow.go +++ b/pkg/operator/workloads/workflow.go @@ -17,200 +17,89 @@ limitations under the License. package workloads import ( - "fmt" "path/filepath" - "strings" - - awfv1 "github.com/argoproj/argo/pkg/apis/workflow/v1alpha1" - ghodssyaml "github.com/ghodss/yaml" "github.com/cortexlabs/cortex/pkg/consts" - "github.com/cortexlabs/cortex/pkg/lib/argo" + "github.com/cortexlabs/cortex/pkg/lib/aws" "github.com/cortexlabs/cortex/pkg/lib/errors" - "github.com/cortexlabs/cortex/pkg/lib/json" - "github.com/cortexlabs/cortex/pkg/lib/slices" + "github.com/cortexlabs/cortex/pkg/lib/sets/strset" "github.com/cortexlabs/cortex/pkg/operator/api/context" + "github.com/cortexlabs/cortex/pkg/operator/api/userconfig" "github.com/cortexlabs/cortex/pkg/operator/config" - ocontext "github.com/cortexlabs/cortex/pkg/operator/context" ) func Init() error { - workflows, err := config.Argo.List(nil) + err := reloadCurrentContexts() if err != nil { - return errors.Wrap(err, "init", "argo", "list") + return errors.Wrap(err, "init") } - for _, wf := range workflows { - ctx, err := ocontext.DownloadContext(wf.Labels["ctxID"], wf.Labels["appName"]) - if err != nil { - fmt.Println("Deleting stale workflow:", wf.Name) - config.Argo.Delete(wf.Name) - } else { - setCurrentContext(ctx) - } - } + go cronRunner() return nil } -func Create(ctx *context.Context) (*awfv1.Workflow, error) { - err := populateLatestWorkloadIDs(ctx) +func PopulateWorkloadIDs(ctx *context.Context) error { + resourceIDs := ctx.ComputedResourceIDs() + latestResourceWorkloadIDs, err := getSavedLatestWorkloadIDs(resourceIDs, ctx.App.Name) if err != nil { - return nil, err - } - - labels := map[string]string{ - "appName": ctx.App.Name, - "ctxID": ctx.ID, + return err } - wf := config.Argo.NewWorkflow(ctx.App.Name, labels) - var allSpecs []*WorkloadSpec + populatePythonPackageWorkloadIDs(ctx, latestResourceWorkloadIDs) + populateSparkWorkloadIDs(ctx, latestResourceWorkloadIDs) + populateTrainingWorkloadIDs(ctx, latestResourceWorkloadIDs) + populateAPIWorkloadIDs(ctx, latestResourceWorkloadIDs) - pythonPackageJobSpecs, err := pythonPackageWorkloadSpecs(ctx) - if err != nil { - return nil, err + if err := ctx.CheckAllWorkloadIDsPopulated(); err != nil { + return err } - allSpecs = append(allSpecs, pythonPackageJobSpecs...) - - if ctx.Environment != nil { - dataJobSpecs, err := dataWorkloadSpecs(ctx) - if err != nil { - return nil, err - } - allSpecs = append(allSpecs, dataJobSpecs...) + return nil +} - trainingJobSpecs, err := trainingWorkloadSpecs(ctx) - if err != nil { - return nil, err - } - allSpecs = append(allSpecs, trainingJobSpecs...) - } +func extractWorkloads(ctx *context.Context) []Workload { + var workloads []Workload + workloads = append(workloads, extractPythonPackageWorkloads(ctx)...) + workloads = append(workloads, extractSparkWorkloads(ctx)...) + workloads = append(workloads, extractTrainingWorkloads(ctx)...) + workloads = append(workloads, extractAPIWorkloads(ctx)...) + return workloads +} - apiSpecs, err := apiWorkloadSpecs(ctx) +func ValidateDeploy(ctx *context.Context) error { + rawDatasetExists, err := config.AWS.IsS3File(filepath.Join(ctx.RawDataset.Key, "_SUCCESS")) if err != nil { - return nil, err + return errors.Wrap(err, ctx.App.Name, "raw dataset") } - allSpecs = append(allSpecs, apiSpecs...) - - resourceWorkloadIDs := make(map[string]string) - for _, spec := range allSpecs { - for resourceID := range spec.ResourceIDs { - resourceWorkloadIDs[resourceID] = spec.WorkloadID + if !rawDatasetExists { + externalPath := ctx.Environment.Data.GetPath() + externalDataExists, err := aws.IsS3aPathPrefixExternal(externalPath) + if !externalDataExists || err != nil { + return errors.Wrap(userconfig.ErrorExternalNotFound(externalPath), ctx.App.Name, userconfig.Identify(ctx.Environment), userconfig.DataKey, userconfig.PathKey) } } - ctx.PopulateWorkloadIDs(resourceWorkloadIDs) - - for _, spec := range allSpecs { - var dependencyWorkloadIDs []string - for resourceID := range spec.ResourceIDs { - for dependencyResourceID := range ctx.AllComputedResourceDependencies(resourceID) { - workloadID := resourceWorkloadIDs[dependencyResourceID] - if workloadID != "" && workloadID != spec.WorkloadID { - dependencyWorkloadIDs = append(dependencyWorkloadIDs, workloadID) - } - } - } - - var combinedManifest string - - switch len(spec.K8sSpecs) { - case 0: - return nil, errors.New("a kubernetes manifest must be specified") // unexpected internal error - case 1: - manifestBytes, err := json.Marshal(spec.K8sSpecs[0]) - if err != nil { - return nil, errors.Wrap(err, ctx.App.Name, "workloads", spec.WorkloadID) - } - combinedManifest = string(manifestBytes) - default: // >1 - if spec.SuccessCondition != "" || spec.FailureCondition != "" { - return nil, errors.New("success and failure conditions are not permitted with multiple manifests") // unexpected internal error - } - manifests := make([]string, len(spec.K8sSpecs)) - for i, k8sSpec := range spec.K8sSpecs { - manifestJSON, err := json.Marshal(k8sSpec) - if err != nil { - return nil, errors.Wrap(err, ctx.App.Name, "workloads", spec.WorkloadID) - } - manifestYAML, err := ghodssyaml.JSONToYAML(manifestJSON) - if err != nil { - return nil, errors.Wrap(err, ctx.App.Name, "workloads", spec.WorkloadID) - } - manifests[i] = string(manifestYAML) - } - combinedManifest = strings.Join(manifests, "\n\n---\n\n") - } - argo.AddTask(wf, &argo.WorkflowTask{ - Name: spec.WorkloadID, - Action: spec.K8sAction, - Manifest: combinedManifest, - SuccessCondition: spec.SuccessCondition, - FailureCondition: spec.FailureCondition, - Dependencies: slices.UniqueStrings(dependencyWorkloadIDs), - Labels: map[string]string{ - "appName": ctx.App.Name, - "workloadType": spec.WorkloadType, - "workloadID": spec.WorkloadID, - }, - }) - - err = uploadWorkloadSpec(spec, ctx) - if err != nil { - return nil, err - } - } - - return wf, nil + return nil } -func populateLatestWorkloadIDs(ctx *context.Context) error { - resourceIDs := ctx.ComputedResourceIDs() - resourceWorkloadIDs, err := getSavedLatestWorkloadIDs(resourceIDs, ctx.App.Name) - if err != nil { +func Run(ctx *context.Context) error { + if err := ctx.CheckAllWorkloadIDsPopulated(); err != nil { return err - } - ctx.PopulateWorkloadIDs(resourceWorkloadIDs) - return nil -} -func Run(wf *awfv1.Workflow, ctx *context.Context, existingWf *awfv1.Workflow) error { - err := ctx.CheckAllWorkloadIDsPopulated() + prevCtx := CurrentContext(ctx.App.Name) + err := deleteOldDataJobs(prevCtx) if err != nil { return err } - if existingWf != nil { - existingCtx := CurrentContext(ctx.App.Name) - if wf.Labels["appName"] != existingWf.Labels["appName"] { - return ErrorWorkflowAppMismatch() - } - if existingCtx != nil && ctx.App.Name != existingCtx.App.Name { - return ErrorContextAppMismatch() - } - - err := Stop(existingWf, existingCtx) - if err != nil { - return err - } - } - - err = config.Argo.Run(wf) - if err != nil { - return errors.Wrap(err, ctx.App.Name) - } + deleteOldAPIs(ctx) - err = createServicesAndIngresses(ctx) + err = setCurrentContext(ctx) if err != nil { return err } - deleteOldAPIs(ctx) - - setCurrentContext(ctx) - resourceWorkloadIDs := ctx.ComputedResourceResourceWorkloadIDs() err = uploadLatestWorkloadIDs(resourceWorkloadIDs, ctx.App.Name) if err != nil { @@ -220,20 +109,26 @@ func Run(wf *awfv1.Workflow, ctx *context.Context, existingWf *awfv1.Workflow) e uncacheDataSavedStatuses(resourceWorkloadIDs, ctx.App.Name) uncacheLatestWorkloadIDs(ctx.ComputedResourceIDs(), ctx.App.Name) + runCronNow() + return nil } -func Stop(wf *awfv1.Workflow, ctx *context.Context) error { - if wf == nil { +func deleteOldDataJobs(ctx *context.Context) error { + if ctx == nil { return nil } - _, err := config.Argo.Delete(wf.Name) - if err != nil { - return errors.Wrap(err, ctx.App.Name) + jobs, _ := config.Kubernetes.ListJobsByLabel("appName", ctx.App.Name) + for _, job := range jobs { + config.Kubernetes.DeleteJob(job.Name) + } + sparkApps, _ := config.Spark.ListByLabel("appName", ctx.App.Name) + for _, sparkApp := range sparkApps { + config.Spark.Delete(sparkApp.Name) } - err = updateKilledDataSavedStatuses(ctx) + err := updateKilledDataSavedStatuses(ctx) if err != nil { return err } @@ -242,15 +137,6 @@ func Stop(wf *awfv1.Workflow, ctx *context.Context) error { } func DeleteApp(appName string, keepCache bool) bool { - ctx := CurrentContext(appName) - wasDeployed := false - - if ctx != nil { - wf, _ := GetWorkflow(appName) - Stop(wf, ctx) - wasDeployed = true - } - deployments, _ := config.Kubernetes.ListDeploymentsByLabel("appName", appName) for _, deployment := range deployments { config.Kubernetes.DeleteDeployment(deployment.Name) @@ -271,11 +157,21 @@ func DeleteApp(appName string, keepCache bool) bool { for _, job := range jobs { config.Kubernetes.DeleteJob(job.Name) } + sparkApps, _ := config.Spark.ListByLabel("appName", appName) + for _, sparkApp := range sparkApps { + config.Spark.Delete(sparkApp.Name) + } pods, _ := config.Kubernetes.ListPodsByLabel("appName", appName) for _, pod := range pods { config.Kubernetes.DeletePod(pod.Name) } + wasDeployed := false + if ctx := CurrentContext(appName); ctx != nil { + updateKilledDataSavedStatuses(ctx) + wasDeployed = true + } + deleteCurrentContext(appName) uncacheDataSavedStatuses(nil, appName) uncacheLatestWorkloadIDs(nil, appName) @@ -287,18 +183,113 @@ func DeleteApp(appName string, keepCache bool) bool { return wasDeployed } -func GetWorkflow(appName string) (*awfv1.Workflow, error) { - wfs, err := config.Argo.ListByLabel("appName", appName) +func UpdateWorkflows() error { + currentWorkloadIDs := make(map[string]strset.Set) + + for _, ctx := range CurrentContexts() { + err := updateWorkflow(ctx) + if err != nil { + return err + } + + currentWorkloadIDs[ctx.App.Name] = ctx.ComputedResourceWorkloadIDs() + } + + uncacheBaseWorkloads(currentWorkloadIDs) + + return nil +} + +func updateWorkflow(ctx *context.Context) error { + workloads := extractWorkloads(ctx) + + err := uploadBaseWorkloadsFromWorkloads(workloads) if err != nil { - return nil, errors.Wrap(err, appName) + return err + } + + for _, workload := range workloads { + isSucceeded, err := workload.IsSucceeded(ctx) + if err != nil { + return err + } + if isSucceeded { + continue + } + + isRunning, err := workload.IsRunning(ctx) + if err != nil { + return err + } + if isRunning { + continue + } + + canRun, err := workload.CanRun(ctx) + if err != nil { + return err + } + if !canRun { + continue + } + + err = workload.Start(ctx) + if err != nil { + return err + } + } + + return nil +} + +func IsWorkloadPending(appName string, workloadID string) (bool, error) { + ctx := CurrentContext(appName) + if ctx == nil { + return false, nil + } + + for _, workload := range extractWorkloads(ctx) { + if workload.GetWorkloadID() != workloadID { + continue + } + + isSucceeded, err := workload.IsSucceeded(ctx) + if err != nil { + return false, err + } + if isSucceeded { + continue + } + + isRunning, err := workload.IsRunning(ctx) + if err != nil { + return false, err + } + if isRunning { + continue + } + + return true, nil } - if len(wfs) > 1 { - return nil, errors.Wrap(ErrorMoreThanOneWorkflow(), appName) + + return false, nil +} + +func IsDeploymentUpdating(appName string) (bool, error) { + ctx := CurrentContext(appName) + if ctx == nil { + return false, nil } - if len(wfs) == 0 { - return nil, nil + for _, workload := range extractWorkloads(ctx) { + isRunning, err := workload.IsRunning(ctx) + if err != nil { + return false, err + } + if isRunning { + return true, nil + } } - return &wfs[0], nil + return false, nil } diff --git a/pkg/operator/workloads/workload.go b/pkg/operator/workloads/workload.go new file mode 100644 index 0000000000..d323581e51 --- /dev/null +++ b/pkg/operator/workloads/workload.go @@ -0,0 +1,183 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package workloads + +import ( + "github.com/cortexlabs/cortex/pkg/lib/sets/strset" + "github.com/cortexlabs/cortex/pkg/operator/api/context" +) + +const ( + workloadTypeAPI = "api" + workloadTypeSpark = "spark-job" + workloadTypeTrain = "training-job" + workloadTypePythonPackager = "python-packager" +) + +type Workload interface { + BaseWorkloadInterface + CanRun(*context.Context) (bool, error) + Start(*context.Context) error + IsRunning(*context.Context) (bool, error) + IsSucceeded(*context.Context) (bool, error) +} + +type BaseWorkload struct { + AppName string + WorkloadID string + WorkloadType string + Resources map[string]context.ResourceFields +} + +type BaseWorkloadInterface interface { + GetAppName() string + GetWorkloadID() string + GetWorkloadType() string + GetResources() map[string]context.ResourceFields + CreatesResource(resourceID string) bool + AddResource(res context.ComputedResource) + GetResourceIDs() strset.Set + GetSingleResourceID() string + GetBaseWorkloadPtr() *BaseWorkload +} + +func (bw *BaseWorkload) GetBaseWorkloadPtr() *BaseWorkload { + return bw +} + +func (bw *BaseWorkload) GetAppName() string { + return bw.AppName +} + +func (bw *BaseWorkload) GetWorkloadID() string { + return bw.WorkloadID +} + +func (bw *BaseWorkload) GetWorkloadType() string { + return bw.WorkloadType +} + +func (bw *BaseWorkload) GetResources() map[string]context.ResourceFields { + if bw.Resources == nil { + bw.Resources = make(map[string]context.ResourceFields) + } + return bw.Resources +} + +func (bw *BaseWorkload) GetResourceIDs() strset.Set { + resourceIDs := strset.NewWithSize(len(bw.Resources)) + for resourceID := range bw.Resources { + resourceIDs.Add(resourceID) + } + return resourceIDs +} + +func (bw *BaseWorkload) GetSingleResourceID() string { + for resourceID := range bw.Resources { + return resourceID + } + return "" +} + +func (bw *BaseWorkload) CreatesResource(resourceID string) bool { + if bw.Resources == nil { + bw.Resources = make(map[string]context.ResourceFields) + } + _, ok := bw.Resources[resourceID] + return ok +} + +func (bw *BaseWorkload) AddResource(res context.ComputedResource) { + if bw.Resources == nil { + bw.Resources = make(map[string]context.ResourceFields) + } + bw.Resources[res.GetID()] = context.ResourceFields{ + ID: res.GetID(), + ResourceType: res.GetResourceType(), + } +} + +func (bw *BaseWorkload) Copy() *BaseWorkload { + if bw == nil { + return nil + } + + copiedResources := make(map[string]context.ResourceFields, len(bw.Resources)) + for resID, res := range bw.Resources { + copiedResources[resID] = res + } + + return &BaseWorkload{ + AppName: bw.AppName, + WorkloadID: bw.WorkloadID, + WorkloadType: bw.WorkloadType, + Resources: copiedResources, + } +} + +func BaseWorkloadPtrsEqual(bw1 *BaseWorkload, bw2 *BaseWorkload) bool { + if bw1 == nil && bw2 == nil { + return true + } + if bw1 == nil || bw2 == nil { + return false + } + return bw1.Equal(*bw2) +} + +func (bw *BaseWorkload) Equal(bw2 BaseWorkload) bool { + if bw.AppName != bw2.AppName { + return false + } + if bw.WorkloadID != bw2.WorkloadID { + return false + } + if bw.WorkloadType != bw2.WorkloadType { + return false + } + if len(bw.Resources) != len(bw2.Resources) { + return false + } + for resID, res := range bw.Resources { + res2, ok := bw2.Resources[resID] + if !ok { + return false + } + if res.ID != res2.ID { + return false + } + if res.ResourceType != res2.ResourceType { + return false + } + } + return true +} + +func emptyBaseWorkload(appName string, workloadID string, workloadType string) BaseWorkload { + return BaseWorkload{ + AppName: appName, + WorkloadID: workloadID, + WorkloadType: workloadType, + Resources: make(map[string]context.ResourceFields), + } +} + +func singleBaseWorkload(res context.ComputedResource, appName string, workloadType string) BaseWorkload { + bw := emptyBaseWorkload(appName, res.GetWorkloadID(), workloadType) + bw.AddResource(res) + return bw +} diff --git a/pkg/operator/workloads/workload_spec.go b/pkg/operator/workloads/workload_spec.go deleted file mode 100644 index de605a512b..0000000000 --- a/pkg/operator/workloads/workload_spec.go +++ /dev/null @@ -1,176 +0,0 @@ -/* -Copyright 2019 Cortex Labs, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package workloads - -import ( - "time" - - kcore "k8s.io/api/core/v1" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/cortexlabs/cortex/pkg/lib/aws" - "github.com/cortexlabs/cortex/pkg/lib/errors" - "github.com/cortexlabs/cortex/pkg/lib/k8s" - "github.com/cortexlabs/cortex/pkg/lib/pointer" - "github.com/cortexlabs/cortex/pkg/lib/sets/strset" - "github.com/cortexlabs/cortex/pkg/operator/api/context" - "github.com/cortexlabs/cortex/pkg/operator/api/resource" - "github.com/cortexlabs/cortex/pkg/operator/config" - ocontext "github.com/cortexlabs/cortex/pkg/operator/context" -) - -type WorkloadSpec struct { - WorkloadID string - ResourceIDs strset.Set - K8sSpecs []kmeta.Object - K8sAction string - SuccessCondition string - FailureCondition string - WorkloadType string -} - -type SavedWorkloadSpec struct { - AppName string - WorkloadID string - WorkloadType string - Resources map[string]*context.ResourceFields -} - -func uploadWorkloadSpec(workloadSpec *WorkloadSpec, ctx *context.Context) error { - if workloadSpec == nil { - return nil - } - - resources := make(map[string]*context.ResourceFields) - for resourceID := range workloadSpec.ResourceIDs { - resource := ctx.OneResourceByID(resourceID) - resources[resourceID] = &context.ResourceFields{ - ID: resource.GetID(), - ResourceType: resource.GetResourceType(), - } - } - - savedWorkloadSpec := SavedWorkloadSpec{ - AppName: ctx.App.Name, - WorkloadID: workloadSpec.WorkloadID, - WorkloadType: workloadSpec.WorkloadType, - Resources: resources, - } - - key := ocontext.WorkloadSpecKey(savedWorkloadSpec.WorkloadID, ctx.App.Name) - err := config.AWS.UploadJSONToS3(savedWorkloadSpec, key) - if err != nil { - return errors.Wrap(err, "upload workload spec", ctx.App.Name, savedWorkloadSpec.WorkloadID) - } - return nil -} - -func getSavedWorkloadSpec(workloadID string, appName string) (*SavedWorkloadSpec, error) { - key := ocontext.WorkloadSpecKey(workloadID, appName) - var savedWorkloadSpec SavedWorkloadSpec - err := config.AWS.ReadJSONFromS3(&savedWorkloadSpec, key) - if aws.IsNoSuchKeyErr(err) { - return nil, nil - } - if err != nil { - return nil, errors.Wrap(err, "download workload spec", appName, workloadID) - } - return &savedWorkloadSpec, nil -} - -func UpdateDataWorkflowErrors(failedPods []kcore.Pod) error { - checkedWorkloadIDs := strset.New() - nowTime := pointer.Time(time.Now()) - - for _, pod := range failedPods { - appName, ok := pod.Labels["appName"] - if !ok { - continue - } - workloadID, ok := pod.Labels["workloadID"] - if !ok { - continue - } - - if pod.Labels["workloadType"] == WorkloadTypeAPI { - continue - } - - if checkedWorkloadIDs.Has(workloadID) { - continue - } - checkedWorkloadIDs.Add(workloadID) - - savedWorkloadSpec, err := getSavedWorkloadSpec(workloadID, appName) - if err != nil { - return err - } - if savedWorkloadSpec == nil { - continue - } - - resourceWorkloadIDs := make(map[string]string, len(savedWorkloadSpec.Resources)) - for _, resource := range savedWorkloadSpec.Resources { - resourceWorkloadIDs[resource.ID] = workloadID - } - - savedStatuses, err := getDataSavedStatuses(resourceWorkloadIDs, appName) - if err != nil { - return err - } - - var savedStatusesToUpload []*resource.DataSavedStatus - for resourceID, res := range savedWorkloadSpec.Resources { - savedStatus := savedStatuses[resourceID] - - if savedStatus == nil { - savedStatus = &resource.DataSavedStatus{ - BaseSavedStatus: resource.BaseSavedStatus{ - ResourceID: resourceID, - ResourceType: res.ResourceType, - WorkloadID: workloadID, - AppName: appName, - }, - } - } - - if savedStatus.End == nil { - savedStatus.End = nowTime - if savedStatus.Start == nil { - savedStatus.Start = nowTime - } - - switch k8s.GetPodStatus(&pod) { - case k8s.PodStatusKilled: - savedStatus.ExitCode = resource.ExitCodeDataKilled - case k8s.PodStatusKilledOOM: - savedStatus.ExitCode = resource.ExitCodeDataOOM - default: - savedStatus.ExitCode = resource.ExitCodeDataFailed - } - - savedStatusesToUpload = append(savedStatusesToUpload, savedStatus) - } - } - - err = uploadDataSavedStatuses(savedStatusesToUpload) - if err != nil { - return err - } - } - return nil -} From 928675a147572310401680aeda5f0a44df194d71 Mon Sep 17 00:00:00 2001 From: David Eliahu Date: Wed, 17 Jul 2019 15:37:54 -0700 Subject: [PATCH 07/68] Rename pod check intervals --- pkg/operator/workloads/logs.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/operator/workloads/logs.go b/pkg/operator/workloads/logs.go index 41f45eaea0..f637f4ec8d 100644 --- a/pkg/operator/workloads/logs.go +++ b/pkg/operator/workloads/logs.go @@ -42,8 +42,8 @@ const ( socketCloseGracePeriod = 10 * time.Second socketMaxMessageSize = 8192 - podCheckInterval = 5 * time.Second - pendingLogCheckInterval = 1 * time.Second + pendingPodCheckInterval = 1 * time.Second + newPodCheckInterval = 5 * time.Second maxParallelPodLogging = 5 initLogTailLines = 20 ) @@ -132,7 +132,7 @@ func ReadLogs(appName string, workloadID string, verbose bool, socket *websocket wrotePending = true } - time.Sleep(pendingLogCheckInterval) + time.Sleep(pendingPodCheckInterval) } } @@ -288,7 +288,7 @@ func podCheck(podCheckCancel chan struct{}, socket *websocket.Conn, initialPodLi delete(processMap, podName) } deleteProcesses(deleteMap) - timer.Reset(podCheckInterval) + timer.Reset(newPodCheckInterval) } } } From 4d954159d9bb7358e23a8e3028afd4d11666df5d Mon Sep 17 00:00:00 2001 From: David Eliahu Date: Wed, 17 Jul 2019 16:09:57 -0700 Subject: [PATCH 08/68] Update operator_local --- Makefile | 4 ++-- dev/operator_local.sh | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index b0403930ab..94e7fcc085 100644 --- a/Makefile +++ b/Makefile @@ -21,10 +21,10 @@ SHELL := /bin/bash # Cortex devstart: - @kill $(shell pgrep -f rerun); ./dev/operator_local.sh || true + @./dev/operator_local.sh || true killdev: - @kill $(shell pgrep -f rerun) + @kill $(shell pgrep -f rerun) >/dev/null 2>&1 || true kubectl: @eksctl utils write-kubeconfig --name="cortex" diff --git a/dev/operator_local.sh b/dev/operator_local.sh index c4d223b8c8..e8dd4ae50d 100755 --- a/dev/operator_local.sh +++ b/dev/operator_local.sh @@ -26,6 +26,9 @@ export CONST_OPERATOR_TRANSFORMERS_DIR=$ROOT/pkg/transformers export CONST_OPERATOR_ESTIMATORS_DIR=$ROOT/pkg/estimators export CONST_OPERATOR_IN_CLUSTER=false +kill $(pgrep -f rerun) >/dev/null 2>&1 || true + rerun -watch $ROOT/pkg $ROOT/cli -ignore $ROOT/vendor $ROOT/bin -run sh -c \ "go build -o $ROOT/bin/operator $ROOT/pkg/operator && go build -installsuffix cgo -o $ROOT/bin/cortex $ROOT/cli && $ROOT/bin/operator" -# go run -race $ROOT/pkg/operator/operator.go + +# go run -race $ROOT/pkg/operator/operator.go # Check for race conditions. Doesn't seem to catch them all? From 1c01b3a3817dac102d05c2d23e169b7c1b2a7178 Mon Sep 17 00:00:00 2001 From: David Eliahu Date: Wed, 17 Jul 2019 16:26:28 -0700 Subject: [PATCH 09/68] Skip external dataset check if no environment --- pkg/operator/workloads/workflow.go | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/pkg/operator/workloads/workflow.go b/pkg/operator/workloads/workflow.go index 58055f7090..f74fa60af4 100644 --- a/pkg/operator/workloads/workflow.go +++ b/pkg/operator/workloads/workflow.go @@ -67,15 +67,17 @@ func extractWorkloads(ctx *context.Context) []Workload { } func ValidateDeploy(ctx *context.Context) error { - rawDatasetExists, err := config.AWS.IsS3File(filepath.Join(ctx.RawDataset.Key, "_SUCCESS")) - if err != nil { - return errors.Wrap(err, ctx.App.Name, "raw dataset") - } - if !rawDatasetExists { - externalPath := ctx.Environment.Data.GetPath() - externalDataExists, err := aws.IsS3aPathPrefixExternal(externalPath) - if !externalDataExists || err != nil { - return errors.Wrap(userconfig.ErrorExternalNotFound(externalPath), ctx.App.Name, userconfig.Identify(ctx.Environment), userconfig.DataKey, userconfig.PathKey) + if ctx.Environment != nil { + rawDatasetExists, err := config.AWS.IsS3File(filepath.Join(ctx.RawDataset.Key, "_SUCCESS")) + if err != nil { + return errors.Wrap(err, ctx.App.Name, "raw dataset") + } + if !rawDatasetExists { + externalPath := ctx.Environment.Data.GetPath() + externalDataExists, err := aws.IsS3aPathPrefixExternal(externalPath) + if !externalDataExists || err != nil { + return errors.Wrap(userconfig.ErrorExternalNotFound(externalPath), ctx.App.Name, userconfig.Identify(ctx.Environment), userconfig.DataKey, userconfig.PathKey) + } } } From 05e43cb8546ee0c7707a4c67eb65d165b961d034 Mon Sep 17 00:00:00 2001 From: David Eliahu Date: Wed, 17 Jul 2019 17:03:11 -0700 Subject: [PATCH 10/68] Cap desired replicas at max replicas --- pkg/operator/workloads/api_status.go | 3 +++ pkg/operator/workloads/api_workload.go | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/operator/workloads/api_status.go b/pkg/operator/workloads/api_status.go index a5852b45c4..ad4d5d717e 100644 --- a/pkg/operator/workloads/api_status.go +++ b/pkg/operator/workloads/api_status.go @@ -361,6 +361,9 @@ func getGroupedReplicaCounts(apiStatuses []*resource.APIStatus, ctx *context.Con if groupedReplicaCounts.Requested < ctxAPI.Compute.MinReplicas { groupedReplicaCounts.Requested = ctxAPI.Compute.MinReplicas } + if groupedReplicaCounts.Requested > ctxAPI.Compute.MaxReplicas { + groupedReplicaCounts.Requested = ctxAPI.Compute.MaxReplicas + } } else { groupedReplicaCounts.ReadyStaleModel += apiStatus.TotalReady() groupedReplicaCounts.FailedStaleModel += apiStatus.TotalFailed() diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index fcbcb2f76c..59afb4cd5b 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -88,9 +88,12 @@ func (aw *APIWorkload) Start(ctx *context.Context) error { if k8sDeloyment != nil && k8sDeloyment.Spec.Replicas != nil { desiredReplicas = *k8sDeloyment.Spec.Replicas } - if hpa != nil && hpa.Spec.MinReplicas != nil && *hpa.Spec.MinReplicas > desiredReplicas { + if hpa != nil && hpa.Spec.MinReplicas != nil && desiredReplicas < *hpa.Spec.MinReplicas { desiredReplicas = *hpa.Spec.MinReplicas } + if hpa != nil && desiredReplicas > hpa.Spec.MaxReplicas { + desiredReplicas = hpa.Spec.MaxReplicas + } var deploymentSpec *kapps.Deployment From edf1816418f9aa60442587cb80ae035a1f497a73 Mon Sep 17 00:00:00 2001 From: David Eliahu Date: Thu, 18 Jul 2019 11:30:38 -0700 Subject: [PATCH 11/68] Update api workload succeeded check --- pkg/operator/workloads/api_status.go | 66 +++++++++++++++++++++----- pkg/operator/workloads/api_workload.go | 25 +++++----- 2 files changed, 68 insertions(+), 23 deletions(-) diff --git a/pkg/operator/workloads/api_status.go b/pkg/operator/workloads/api_status.go index ad4d5d717e..bef1767f04 100644 --- a/pkg/operator/workloads/api_status.go +++ b/pkg/operator/workloads/api_status.go @@ -20,6 +20,7 @@ import ( "time" kapps "k8s.io/api/apps/v1" + kautoscaling "k8s.io/api/autoscaling/v1" kcore "k8s.io/api/core/v1" "github.com/cortexlabs/cortex/pkg/lib/errors" @@ -192,6 +193,29 @@ func getReplicaCountsMap( return replicaCountsMap } +func numUpdatedReadyReplicas(ctx *context.Context, api *context.API) (int32, error) { + podList, err := config.Kubernetes.ListPodsByLabels(map[string]string{ + "workloadType": workloadTypeAPI, + "appName": ctx.App.Name, + "resourceID": api.ID, + "userFacing": "true", + }) + if err != nil { + return 0, errors.Wrap(err, ctx.App.Name) + } + + var readyReplicas int32 + apiComputeID := api.Compute.IDWithoutReplicas() + for _, pod := range podList { + podStatus := k8s.GetPodStatus(&pod) + if podStatus == k8s.PodStatusRunning && APIPodComputeID(pod.Spec.Containers) == apiComputeID { + readyReplicas++ + } + } + + return readyReplicas, nil +} + func apiStatusCode(apiStatus *resource.APIStatus) resource.StatusCode { if apiStatus.MaxReplicas == 0 { if apiStatus.TotalReady() > 0 { @@ -353,17 +377,7 @@ func getGroupedReplicaCounts(apiStatuses []*resource.APIStatus, ctx *context.Con groupedReplicaCounts.ReadyStaleCompute = apiStatus.ReadyStaleCompute groupedReplicaCounts.FailedUpdated = apiStatus.FailedUpdatedCompute groupedReplicaCounts.FailedStaleCompute = apiStatus.FailedStaleCompute - - groupedReplicaCounts.Requested = ctxAPI.Compute.InitReplicas - if apiStatus.K8sRequested > 0 { - groupedReplicaCounts.Requested = apiStatus.K8sRequested - } - if groupedReplicaCounts.Requested < ctxAPI.Compute.MinReplicas { - groupedReplicaCounts.Requested = ctxAPI.Compute.MinReplicas - } - if groupedReplicaCounts.Requested > ctxAPI.Compute.MaxReplicas { - groupedReplicaCounts.Requested = ctxAPI.Compute.MaxReplicas - } + groupedReplicaCounts.Requested = getRequestedReplicas(ctxAPI, apiStatus.K8sRequested, nil) } else { groupedReplicaCounts.ReadyStaleModel += apiStatus.TotalReady() groupedReplicaCounts.FailedStaleModel += apiStatus.TotalFailed() @@ -373,6 +387,36 @@ func getGroupedReplicaCounts(apiStatuses []*resource.APIStatus, ctx *context.Con return groupedReplicaCounts } +func getRequestedReplicas(api *context.API, k8sRequested int32, hpa *kautoscaling.HorizontalPodAutoscaler) int32 { + // In case HPA hasn't updated the k8s deployment yet. May not be common, so not necessary to pass in hpa + if hpa != nil && hpa.Spec.MinReplicas != nil && k8sRequested < *hpa.Spec.MinReplicas { + k8sRequested = *hpa.Spec.MinReplicas + } + if hpa != nil && k8sRequested > hpa.Spec.MaxReplicas { + k8sRequested = hpa.Spec.MaxReplicas + } + + requestedReplicas := api.Compute.InitReplicas + if k8sRequested > 0 { + requestedReplicas = k8sRequested + } + if requestedReplicas < api.Compute.MinReplicas { + requestedReplicas = api.Compute.MinReplicas + } + if requestedReplicas > api.Compute.MaxReplicas { + requestedReplicas = api.Compute.MaxReplicas + } + return requestedReplicas +} + +func getRequestedReplicasFromDeployment(api *context.API, k8sDeployment *kapps.Deployment, hpa *kautoscaling.HorizontalPodAutoscaler) int32 { + var k8sRequested int32 + if k8sDeployment != nil && k8sDeployment.Spec.Replicas != nil { + k8sRequested = *k8sDeployment.Spec.Replicas + } + return getRequestedReplicas(api, k8sRequested, hpa) +} + func setInsufficientComputeAPIStatusCodes(apiStatuses map[string]*resource.APIStatus, ctx *context.Context) error { stalledPods, err := config.Kubernetes.StalledPods() if err != nil { diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index 59afb4cd5b..5929f63069 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -84,16 +84,7 @@ func (aw *APIWorkload) Start(ctx *context.Context) error { return err } - desiredReplicas := api.Compute.InitReplicas - if k8sDeloyment != nil && k8sDeloyment.Spec.Replicas != nil { - desiredReplicas = *k8sDeloyment.Spec.Replicas - } - if hpa != nil && hpa.Spec.MinReplicas != nil && desiredReplicas < *hpa.Spec.MinReplicas { - desiredReplicas = *hpa.Spec.MinReplicas - } - if hpa != nil && desiredReplicas > hpa.Spec.MaxReplicas { - desiredReplicas = hpa.Spec.MaxReplicas - } + desiredReplicas := getRequestedReplicasFromDeployment(api, k8sDeloyment, hpa) var deploymentSpec *kapps.Deployment @@ -150,7 +141,12 @@ func (aw *APIWorkload) IsSucceeded(ctx *context.Context) (bool, error) { return false, nil } - if k8sDeployment.Status.AvailableReplicas < api.Compute.MinReplicas || k8sDeployment.Status.UpdatedReplicas < api.Compute.MinReplicas { + updatedReplicas, err := numUpdatedReadyReplicas(ctx, api) + if err != nil { + return false, err + } + requestedReplicas := getRequestedReplicasFromDeployment(api, k8sDeployment, hpa) + if updatedReplicas < requestedReplicas { return false, nil } @@ -178,7 +174,12 @@ func (aw *APIWorkload) IsRunning(ctx *context.Context) (bool, error) { return false, nil } - if k8sDeployment.Status.AvailableReplicas < api.Compute.MinReplicas || k8sDeployment.Status.UpdatedReplicas < api.Compute.MinReplicas { + updatedReplicas, err := numUpdatedReadyReplicas(ctx, api) + if err != nil { + return false, err + } + requestedReplicas := getRequestedReplicasFromDeployment(api, k8sDeployment, hpa) + if updatedReplicas < requestedReplicas { return true, nil } From 76a325fff2785bef06fb511ab660756447b0ffe0 Mon Sep 17 00:00:00 2001 From: David Eliahu Date: Thu, 18 Jul 2019 12:49:27 -0700 Subject: [PATCH 12/68] Use Update() instead of Patch() in k8s --- pkg/lib/k8s/configmap.go | 12 ++---------- pkg/lib/k8s/deployment.go | 13 +++---------- pkg/lib/k8s/hpa.go | 14 +++----------- pkg/lib/k8s/ingress.go | 14 +++----------- pkg/lib/k8s/job.go | 14 +++----------- pkg/lib/k8s/pod.go | 13 +++---------- pkg/lib/k8s/service.go | 17 ++++++----------- pkg/lib/spark/spark.go | 14 +++----------- 8 files changed, 26 insertions(+), 85 deletions(-) diff --git a/pkg/lib/k8s/configmap.go b/pkg/lib/k8s/configmap.go index 4f9c6fa236..fb6b4f8a62 100644 --- a/pkg/lib/k8s/configmap.go +++ b/pkg/lib/k8s/configmap.go @@ -61,16 +61,8 @@ func (c *Client) CreateConfigMap(configMap *kcore.ConfigMap) (*kcore.ConfigMap, return configMap, nil } -func (c *Client) UpdateConfigMap(configMap *kcore.ConfigMap) (*kcore.ConfigMap, error) { +func (c *Client) updateConfigMap(configMap *kcore.ConfigMap) (*kcore.ConfigMap, error) { configMap.TypeMeta = configMapTypeMeta - - // This didn't support deleting keys from configMap.Data - // objBytes, err := json.Marshal(configMap) - // if err != nil { - // return nil, err - // } - // configMap, err = c.configMapClient.Patch(configMap.Name, ktypes.MergePatchType, objBytes) - configMap, err := c.configMapClient.Update(configMap) if err != nil { return nil, errors.WithStack(err) @@ -86,7 +78,7 @@ func (c *Client) ApplyConfigMap(configMap *kcore.ConfigMap) (*kcore.ConfigMap, e if existing == nil { return c.CreateConfigMap(configMap) } - return c.UpdateConfigMap(configMap) + return c.updateConfigMap(configMap) } func (c *Client) GetConfigMap(name string) (*kcore.ConfigMap, error) { diff --git a/pkg/lib/k8s/deployment.go b/pkg/lib/k8s/deployment.go index d0376e6d0a..3501ff7100 100644 --- a/pkg/lib/k8s/deployment.go +++ b/pkg/lib/k8s/deployment.go @@ -17,14 +17,12 @@ limitations under the License. package k8s import ( - "encoding/json" "time" kapps "k8s.io/api/apps/v1" kcore "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - ktypes "k8s.io/apimachinery/pkg/types" "github.com/cortexlabs/cortex/pkg/lib/errors" ) @@ -91,14 +89,9 @@ func (c *Client) CreateDeployment(deployment *kapps.Deployment) (*kapps.Deployme return deployment, nil } -func (c *Client) UpdateDeployment(deployment *kapps.Deployment) (*kapps.Deployment, error) { +func (c *Client) updateDeployment(deployment *kapps.Deployment) (*kapps.Deployment, error) { deployment.TypeMeta = deploymentTypeMeta - objBytes, err := json.Marshal(deployment) - if err != nil { - return nil, err - } - - deployment, err = c.deploymentClient.Patch(deployment.Name, ktypes.MergePatchType, objBytes) + deployment, err := c.deploymentClient.Update(deployment) if err != nil { return nil, errors.WithStack(err) } @@ -113,7 +106,7 @@ func (c *Client) ApplyDeployment(deployment *kapps.Deployment) (*kapps.Deploymen if existing == nil { return c.CreateDeployment(deployment) } - return c.UpdateDeployment(deployment) + return c.updateDeployment(deployment) } func (c *Client) GetDeployment(name string) (*kapps.Deployment, error) { diff --git a/pkg/lib/k8s/hpa.go b/pkg/lib/k8s/hpa.go index b57d936051..dee3ab7379 100644 --- a/pkg/lib/k8s/hpa.go +++ b/pkg/lib/k8s/hpa.go @@ -17,12 +17,9 @@ limitations under the License. package k8s import ( - "encoding/json" - kautoscaling "k8s.io/api/autoscaling/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - ktypes "k8s.io/apimachinery/pkg/types" "github.com/cortexlabs/cortex/pkg/lib/errors" ) @@ -75,14 +72,9 @@ func (c *Client) CreateHPA(hpa *kautoscaling.HorizontalPodAutoscaler) (*kautosca return hpa, nil } -func (c *Client) UpdateHPA(hpa *kautoscaling.HorizontalPodAutoscaler) (*kautoscaling.HorizontalPodAutoscaler, error) { +func (c *Client) updateHPA(hpa *kautoscaling.HorizontalPodAutoscaler) (*kautoscaling.HorizontalPodAutoscaler, error) { hpa.TypeMeta = hpaTypeMeta - objBytes, err := json.Marshal(hpa) - if err != nil { - return nil, err - } - - hpa, err = c.hpaClient.Patch(hpa.Name, ktypes.MergePatchType, objBytes) + hpa, err := c.hpaClient.Update(hpa) if err != nil { return nil, errors.WithStack(err) } @@ -97,7 +89,7 @@ func (c *Client) ApplyHPA(hpa *kautoscaling.HorizontalPodAutoscaler) (*kautoscal if existing == nil { return c.CreateHPA(hpa) } - return c.UpdateHPA(hpa) + return c.updateHPA(hpa) } func (c *Client) GetHPA(name string) (*kautoscaling.HorizontalPodAutoscaler, error) { diff --git a/pkg/lib/k8s/ingress.go b/pkg/lib/k8s/ingress.go index 56acdaefff..56f5f77de3 100644 --- a/pkg/lib/k8s/ingress.go +++ b/pkg/lib/k8s/ingress.go @@ -17,12 +17,9 @@ limitations under the License. package k8s import ( - "encoding/json" - kextensions "k8s.io/api/extensions/v1beta1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - ktypes "k8s.io/apimachinery/pkg/types" intstr "k8s.io/apimachinery/pkg/util/intstr" "github.com/cortexlabs/cortex/pkg/lib/errors" @@ -92,14 +89,9 @@ func (c *Client) CreateIngress(ingress *kextensions.Ingress) (*kextensions.Ingre return ingress, nil } -func (c *Client) UpdateIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { +func (c *Client) updateIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { ingress.TypeMeta = ingressTypeMeta - objBytes, err := json.Marshal(ingress) - if err != nil { - return nil, err - } - - ingress, err = c.ingressClient.Patch(ingress.Name, ktypes.MergePatchType, objBytes) + ingress, err := c.ingressClient.Update(ingress) if err != nil { return nil, errors.WithStack(err) } @@ -114,7 +106,7 @@ func (c *Client) ApplyIngress(ingress *kextensions.Ingress) (*kextensions.Ingres if existing == nil { return c.CreateIngress(ingress) } - return c.UpdateIngress(ingress) + return c.updateIngress(ingress) } func (c *Client) GetIngress(name string) (*kextensions.Ingress, error) { diff --git a/pkg/lib/k8s/job.go b/pkg/lib/k8s/job.go index d2fc56deaa..e96f665c4a 100644 --- a/pkg/lib/k8s/job.go +++ b/pkg/lib/k8s/job.go @@ -17,13 +17,10 @@ limitations under the License. package k8s import ( - "encoding/json" - kbatch "k8s.io/api/batch/v1" kcore "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - ktypes "k8s.io/apimachinery/pkg/types" "github.com/cortexlabs/cortex/pkg/lib/errors" ) @@ -88,14 +85,9 @@ func (c *Client) CreateJob(job *kbatch.Job) (*kbatch.Job, error) { return job, nil } -func (c *Client) UpdateJob(job *kbatch.Job) (*kbatch.Job, error) { +func (c *Client) updateJob(job *kbatch.Job) (*kbatch.Job, error) { job.TypeMeta = jobTypeMeta - objBytes, err := json.Marshal(job) - if err != nil { - return nil, err - } - - job, err = c.jobClient.Patch(job.Name, ktypes.MergePatchType, objBytes) + job, err := c.jobClient.Update(job) if err != nil { return nil, errors.WithStack(err) } @@ -110,7 +102,7 @@ func (c *Client) ApplyJob(job *kbatch.Job) (*kbatch.Job, error) { if existing == nil { return c.CreateJob(job) } - return c.UpdateJob(job) + return c.updateJob(job) } func (c *Client) GetJob(name string) (*kbatch.Job, error) { diff --git a/pkg/lib/k8s/pod.go b/pkg/lib/k8s/pod.go index d4d8a84e6e..7e132bc2e3 100644 --- a/pkg/lib/k8s/pod.go +++ b/pkg/lib/k8s/pod.go @@ -17,13 +17,11 @@ limitations under the License. package k8s import ( - "encoding/json" "time" kcore "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - ktypes "k8s.io/apimachinery/pkg/types" "github.com/cortexlabs/cortex/pkg/lib/errors" libtime "github.com/cortexlabs/cortex/pkg/lib/time" @@ -86,14 +84,9 @@ func (c *Client) CreatePod(pod *kcore.Pod) (*kcore.Pod, error) { return pod, nil } -func (c *Client) UpdatePod(pod *kcore.Pod) (*kcore.Pod, error) { +func (c *Client) updatePod(pod *kcore.Pod) (*kcore.Pod, error) { pod.TypeMeta = podTypeMeta - objBytes, err := json.Marshal(pod) - if err != nil { - return nil, err - } - - pod, err = c.podClient.Patch(pod.Name, ktypes.MergePatchType, objBytes) + pod, err := c.podClient.Update(pod) if err != nil { return nil, errors.WithStack(err) } @@ -108,7 +101,7 @@ func (c *Client) ApplyPod(pod *kcore.Pod) (*kcore.Pod, error) { if existing == nil { return c.CreatePod(pod) } - return c.UpdatePod(pod) + return c.updatePod(pod) } func GetPodLastContainerStartTime(pod *kcore.Pod) *time.Time { diff --git a/pkg/lib/k8s/service.go b/pkg/lib/k8s/service.go index 1cb7f74878..8bd4149979 100644 --- a/pkg/lib/k8s/service.go +++ b/pkg/lib/k8s/service.go @@ -17,12 +17,9 @@ limitations under the License. package k8s import ( - "encoding/json" - kcore "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - ktypes "k8s.io/apimachinery/pkg/types" intstr "k8s.io/apimachinery/pkg/util/intstr" "github.com/cortexlabs/cortex/pkg/lib/errors" @@ -78,14 +75,9 @@ func (c *Client) CreateService(service *kcore.Service) (*kcore.Service, error) { return service, nil } -func (c *Client) UpdateService(service *kcore.Service) (*kcore.Service, error) { +func (c *Client) updateService(service *kcore.Service) (*kcore.Service, error) { service.TypeMeta = serviceTypeMeta - objBytes, err := json.Marshal(service) - if err != nil { - return nil, err - } - - service, err = c.serviceClient.Patch(service.Name, ktypes.MergePatchType, objBytes) + service, err := c.serviceClient.Update(service) if err != nil { return nil, errors.WithStack(err) } @@ -100,7 +92,10 @@ func (c *Client) ApplyService(service *kcore.Service) (*kcore.Service, error) { if existing == nil { return c.CreateService(service) } - return c.UpdateService(service) + + service.Spec.ClusterIP = existing.Spec.ClusterIP + service.ResourceVersion = existing.ResourceVersion + return c.updateService(service) } func (c *Client) GetService(name string) (*kcore.Service, error) { diff --git a/pkg/lib/spark/spark.go b/pkg/lib/spark/spark.go index d2a8dba341..19c64e6650 100644 --- a/pkg/lib/spark/spark.go +++ b/pkg/lib/spark/spark.go @@ -17,14 +17,11 @@ limitations under the License. package spark import ( - "encoding/json" - sparkop "github.com/GoogleCloudPlatform/spark-on-k8s-operator/pkg/apis/sparkoperator.k8s.io/v1alpha1" sparkopclientset "github.com/GoogleCloudPlatform/spark-on-k8s-operator/pkg/client/clientset/versioned" sparkopclientapi "github.com/GoogleCloudPlatform/spark-on-k8s-operator/pkg/client/clientset/versioned/typed/sparkoperator.k8s.io/v1alpha1" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - ktypes "k8s.io/apimachinery/pkg/types" kclientrest "k8s.io/client-go/rest" "github.com/cortexlabs/cortex/pkg/lib/errors" @@ -84,14 +81,9 @@ func (c *Client) Create(sparkApp *sparkop.SparkApplication) (*sparkop.SparkAppli return sparkApp, nil } -func (c *Client) Update(sparkApp *sparkop.SparkApplication) (*sparkop.SparkApplication, error) { +func (c *Client) update(sparkApp *sparkop.SparkApplication) (*sparkop.SparkApplication, error) { sparkApp.TypeMeta = sparkAppTypeMeta - objBytes, err := json.Marshal(sparkApp) - if err != nil { - return nil, err - } - - sparkApp, err = c.sparkClient.Patch(sparkApp.Name, ktypes.MergePatchType, objBytes) + sparkApp, err := c.sparkClient.Update(sparkApp) if err != nil { return nil, errors.WithStack(err) } @@ -106,7 +98,7 @@ func (c *Client) Apply(sparkApp *sparkop.SparkApplication) (*sparkop.SparkApplic if existing == nil { return c.Create(sparkApp) } - return c.Update(sparkApp) + return c.update(sparkApp) } func (c *Client) Get(name string) (*sparkop.SparkApplication, error) { From e265d88835e533016e06fa142ddf25f817dcd036 Mon Sep 17 00:00:00 2001 From: David Eliahu Date: Thu, 18 Jul 2019 12:49:42 -0700 Subject: [PATCH 13/68] Remove killdev make command --- Makefile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Makefile b/Makefile index 94e7fcc085..9ce8df0052 100644 --- a/Makefile +++ b/Makefile @@ -23,9 +23,6 @@ SHELL := /bin/bash devstart: @./dev/operator_local.sh || true -killdev: - @kill $(shell pgrep -f rerun) >/dev/null 2>&1 || true - kubectl: @eksctl utils write-kubeconfig --name="cortex" @kubectl config set-context --current --namespace="cortex" From 8981de200f3bdc335f5c61b4badcadc023eec4ba Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Thu, 18 Jul 2019 17:50:51 -0400 Subject: [PATCH 14/68] fix api --- manager/manifests/istio/values.yaml | 8 +- manager/manifests/operator.yaml | 2 + pkg/lib/k8s/deployment.go | 22 +-- pkg/lib/k8s/ingress.go | 182 ------------------------- pkg/lib/k8s/k8s.go | 3 - pkg/lib/k8s/service.go | 8 +- pkg/lib/k8s/virtual_service.go | 109 +++++++++++++-- pkg/operator/workloads/api_workload.go | 79 +++++------ pkg/operator/workloads/workflow.go | 6 +- pkg/workloads/cortex/tf_api/api.py | 1 - 10 files changed, 158 insertions(+), 262 deletions(-) delete mode 100644 pkg/lib/k8s/ingress.go diff --git a/manager/manifests/istio/values.yaml b/manager/manifests/istio/values.yaml index 20ac9f7e64..72dc1a35e6 100644 --- a/manager/manifests/istio/values.yaml +++ b/manager/manifests/istio/values.yaml @@ -124,6 +124,12 @@ gateways: # sidecarInjectorWebhook: enabled: true + alwaysInjectSelector: + - matchLabels: + workloadType: api + - matchLabels: + workloadType: operator + # # galley configuration, refer to charts/galley/values.yaml @@ -321,7 +327,7 @@ global: excludeInboundPorts: "" # This controls the 'policy' in the sidecar injector. - autoInject: enabled + autoInject: disabled # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument # would be :). diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 7285d379ad..4cb7fea23d 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -58,6 +58,8 @@ spec: version: v1 workloadID: operator workloadType: operator + annotations: + sidecar.istio.io/inject: "true" spec: serviceAccountName: operator containers: diff --git a/pkg/lib/k8s/deployment.go b/pkg/lib/k8s/deployment.go index 7501e4ed72..9b882de3e4 100644 --- a/pkg/lib/k8s/deployment.go +++ b/pkg/lib/k8s/deployment.go @@ -35,13 +35,14 @@ var deploymentTypeMeta = kmeta.TypeMeta{ } type DeploymentSpec struct { - Spec *DeploymentSpec - Name string - Namespace string - Replicas int32 - PodSpec PodSpec - Labels map[string]string - Selector map[string]string + Spec *DeploymentSpec + Name string + Namespace string + Replicas int32 + PodSpec PodSpec + Labels map[string]string + Annotations map[string]string + Selector map[string]string } func Deployment(spec *DeploymentSpec) *kapps.Deployment { @@ -61,9 +62,10 @@ func Deployment(spec *DeploymentSpec) *kapps.Deployment { deployment := &kapps.Deployment{ TypeMeta: deploymentTypeMeta, ObjectMeta: kmeta.ObjectMeta{ - Name: spec.Name, - Namespace: spec.Namespace, - Labels: spec.Labels, + Name: spec.Name, + Namespace: spec.Namespace, + Labels: spec.Labels, + Annotations: spec.Annotations, }, Spec: kapps.DeploymentSpec{ Replicas: &spec.Replicas, diff --git a/pkg/lib/k8s/ingress.go b/pkg/lib/k8s/ingress.go deleted file mode 100644 index 56acdaefff..0000000000 --- a/pkg/lib/k8s/ingress.go +++ /dev/null @@ -1,182 +0,0 @@ -/* -Copyright 2019 Cortex Labs, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package k8s - -import ( - "encoding/json" - - kextensions "k8s.io/api/extensions/v1beta1" - kerrors "k8s.io/apimachinery/pkg/api/errors" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - ktypes "k8s.io/apimachinery/pkg/types" - intstr "k8s.io/apimachinery/pkg/util/intstr" - - "github.com/cortexlabs/cortex/pkg/lib/errors" -) - -var ingressTypeMeta = kmeta.TypeMeta{ - APIVersion: "extensions/v1beta1", - Kind: "Ingress", -} - -type IngressSpec struct { - Name string - Namespace string - IngressClass string - ServiceName string - ServicePort int32 - Path string - Labels map[string]string -} - -func Ingress(spec *IngressSpec) *kextensions.Ingress { - if spec.Namespace == "" { - spec.Namespace = "default" - } - ingress := &kextensions.Ingress{ - TypeMeta: ingressTypeMeta, - ObjectMeta: kmeta.ObjectMeta{ - Name: spec.Name, - Namespace: spec.Namespace, - Annotations: map[string]string{ - "kubernetes.io/ingress.class": spec.IngressClass, - "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "https", - }, - Labels: spec.Labels, - }, - Spec: kextensions.IngressSpec{ - Rules: []kextensions.IngressRule{ - { - IngressRuleValue: kextensions.IngressRuleValue{ - HTTP: &kextensions.HTTPIngressRuleValue{ - Paths: []kextensions.HTTPIngressPath{ - { - Path: spec.Path, - Backend: kextensions.IngressBackend{ - ServiceName: spec.ServiceName, - ServicePort: intstr.IntOrString{ - IntVal: spec.ServicePort, - }, - }, - }, - }, - }, - }, - }, - }, - }, - } - return ingress -} - -func (c *Client) CreateIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { - ingress.TypeMeta = ingressTypeMeta - ingress, err := c.ingressClient.Create(ingress) - if err != nil { - return nil, errors.WithStack(err) - } - return ingress, nil -} - -func (c *Client) UpdateIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { - ingress.TypeMeta = ingressTypeMeta - objBytes, err := json.Marshal(ingress) - if err != nil { - return nil, err - } - - ingress, err = c.ingressClient.Patch(ingress.Name, ktypes.MergePatchType, objBytes) - if err != nil { - return nil, errors.WithStack(err) - } - return ingress, nil -} - -func (c *Client) ApplyIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { - existing, err := c.GetIngress(ingress.Name) - if err != nil { - return nil, err - } - if existing == nil { - return c.CreateIngress(ingress) - } - return c.UpdateIngress(ingress) -} - -func (c *Client) GetIngress(name string) (*kextensions.Ingress, error) { - ingress, err := c.ingressClient.Get(name, kmeta.GetOptions{}) - if kerrors.IsNotFound(err) { - return nil, nil - } - if err != nil { - return nil, errors.WithStack(err) - } - ingress.TypeMeta = ingressTypeMeta - return ingress, nil -} - -func (c *Client) DeleteIngress(name string) (bool, error) { - err := c.ingressClient.Delete(name, deleteOpts) - if kerrors.IsNotFound(err) { - return false, nil - } - if err != nil { - return false, errors.WithStack(err) - } - return true, nil -} - -func (c *Client) IngressExists(name string) (bool, error) { - ingress, err := c.GetIngress(name) - if err != nil { - return false, err - } - return ingress != nil, nil -} - -func (c *Client) ListIngresses(opts *kmeta.ListOptions) ([]kextensions.Ingress, error) { - if opts == nil { - opts = &kmeta.ListOptions{} - } - ingressList, err := c.ingressClient.List(*opts) - if err != nil { - return nil, errors.WithStack(err) - } - for i := range ingressList.Items { - ingressList.Items[i].TypeMeta = ingressTypeMeta - } - return ingressList.Items, nil -} - -func (c *Client) ListIngressesByLabels(labels map[string]string) ([]kextensions.Ingress, error) { - opts := &kmeta.ListOptions{ - LabelSelector: LabelSelector(labels), - } - return c.ListIngresses(opts) -} - -func (c *Client) ListIngressesByLabel(labelKey string, labelValue string) ([]kextensions.Ingress, error) { - return c.ListIngressesByLabels(map[string]string{labelKey: labelValue}) -} - -func IngressMap(ingresses []kextensions.Ingress) map[string]kextensions.Ingress { - ingressMap := map[string]kextensions.Ingress{} - for _, ingress := range ingresses { - ingressMap[ingress.Name] = ingress - } - return ingressMap -} diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index 81bd7e1fd0..bca93ec1f1 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -29,7 +29,6 @@ import ( kclientautoscaling "k8s.io/client-go/kubernetes/typed/autoscaling/v1" kclientbatch "k8s.io/client-go/kubernetes/typed/batch/v1" kclientcore "k8s.io/client-go/kubernetes/typed/core/v1" - kclientextensions "k8s.io/client-go/kubernetes/typed/extensions/v1beta1" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" kclientrest "k8s.io/client-go/rest" kclientcmd "k8s.io/client-go/tools/clientcmd" @@ -56,7 +55,6 @@ type Client struct { deploymentClient kclientapps.DeploymentInterface dynamicClient dynamic.Interface jobClient kclientbatch.JobInterface - ingressClient kclientextensions.IngressInterface hpaClient kclientautoscaling.HorizontalPodAutoscalerInterface Namespace string } @@ -93,7 +91,6 @@ func New(namespace string, inCluster bool) (*Client, error) { client.configMapClient = client.clientset.CoreV1().ConfigMaps(namespace) client.deploymentClient = client.clientset.AppsV1().Deployments(namespace) client.jobClient = client.clientset.BatchV1().Jobs(namespace) - client.ingressClient = client.clientset.ExtensionsV1beta1().Ingresses(namespace) client.hpaClient = client.clientset.AutoscalingV1().HorizontalPodAutoscalers(namespace) return client, nil } diff --git a/pkg/lib/k8s/service.go b/pkg/lib/k8s/service.go index 6b020f7855..70bf9ddbd6 100644 --- a/pkg/lib/k8s/service.go +++ b/pkg/lib/k8s/service.go @@ -58,7 +58,7 @@ func Service(spec *ServiceSpec) *kcore.Service { Ports: []kcore.ServicePort{ { Protocol: kcore.ProtocolTCP, - Name: "http", + Name: "http", Port: spec.Port, TargetPort: intstr.IntOrString{ IntVal: spec.TargetPort, @@ -116,9 +116,9 @@ func (c *Client) GetService(name string) (*kcore.Service, error) { return service, nil } -func (c *Client) GetIstioService(name string) (*corev1.Service, error) { - service, err := c.istioServiceClient.Get(name, metav1.GetOptions{}) - if k8serrors.IsNotFound(err) { +func (c *Client) GetIstioService(name string) (*kcore.Service, error) { + service, err := c.istioServiceClient.Get(name, kmeta.GetOptions{}) + if kerrors.IsNotFound(err) { return nil, nil } if err != nil { diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index a72a8935c5..813984f1b9 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -18,6 +18,8 @@ limitations under the License. import ( "github.com/cortexlabs/cortex/pkg/lib/errors" + kerrors "k8s.io/apimachinery/pkg/api/errors" + kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" @@ -28,6 +30,18 @@ var virtualServiceTypeMeta = metav1.TypeMeta{ Kind: "VirtualService", } +var virtualServiceGVR = schema.GroupVersionResource{ + Group: "networking.istio.io", + Version: "v1alpha3", + Resource: "virtualservices", +} + +var virtualServiceGVK = schema.GroupVersionKind{ + Group: "networking.istio.io", + Version: "v1alpha3", + Kind: "VirtualService", +} + type VirtualServiceSpec struct { Name string Namespace string @@ -40,11 +54,7 @@ type VirtualServiceSpec struct { func VirtualService(spec *VirtualServiceSpec) *unstructured.Unstructured { virtualServceConfig := &unstructured.Unstructured{} - virtualServceConfig.SetGroupVersionKind(schema.GroupVersionKind{ - Group: "networking.istio.io", - Version: "v1alpha3", - Kind: "VirtualService", - }) + virtualServceConfig.SetGroupVersionKind(virtualServiceGVK) virtualServceConfig.SetName(spec.Name) virtualServceConfig.SetNamespace(spec.Namespace) virtualServceConfig.Object["metadata"] = map[string]interface{}{ @@ -80,18 +90,93 @@ func VirtualService(spec *VirtualServiceSpec) *unstructured.Unstructured { return virtualServceConfig } -func (c *Client) CreateVirtualService(spec *VirtualServiceSpec) (*unstructured.Unstructured, error) { - virtualServiceGVR := schema.GroupVersionResource{ - Group: "networking.istio.io", - Version: "v1alpha3", - Resource: "virtualservices", +func (c *Client) CreateVirtualService(spec *unstructured.Unstructured) (*unstructured.Unstructured, error) { + virtualService, err := c.dynamicClient. + Resource(virtualServiceGVR). + Namespace(spec.GetNamespace()). + Create(spec, metav1.CreateOptions{ + TypeMeta: virtualServiceTypeMeta, + }) + if err != nil { + return nil, errors.WithStack(err) + } + return virtualService, nil +} + +func (c *Client) UpdateVirtualService(spec *unstructured.Unstructured) (*unstructured.Unstructured, error) { + virtualService, err := c.dynamicClient. + Resource(virtualServiceGVR). + Namespace(spec.GetNamespace()). + Update(spec, metav1.UpdateOptions{ + TypeMeta: virtualServiceTypeMeta, + }) + if err != nil { + return nil, errors.WithStack(err) + } + return virtualService, nil +} + +func (c *Client) ApplyVirtualService(spec *unstructured.Unstructured) (*unstructured.Unstructured, error) { + existing, err := c.GetVirtualService(spec.GetName(), spec.GetNamespace()) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateVirtualService(spec) + } + spec.SetResourceVersion(existing.GetResourceVersion()) + return c.UpdateVirtualService(spec) +} + +func (c *Client) GetVirtualService(name, namespace string) (*unstructured.Unstructured, error) { + virtualService, err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).Get(name, metav1.GetOptions{ + TypeMeta: virtualServiceTypeMeta, + }) + + if kerrors.IsNotFound(err) { + return nil, nil + } + if err != nil { + return nil, errors.WithStack(err) } + return virtualService, nil +} - service, err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(spec.Namespace).Create(VirtualService(spec), metav1.CreateOptions{ +func (c *Client) DeleteVirtualService(name, namespace string) (bool, error) { + err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).Delete(name, &metav1.DeleteOptions{ TypeMeta: virtualServiceTypeMeta, }) + if kerrors.IsNotFound(err) { + return false, nil + } + if err != nil { + return false, errors.WithStack(err) + } + return true, nil +} + +func (c *Client) ListVirtualServices(namespace string, opts *kmeta.ListOptions) ([]unstructured.Unstructured, error) { + if opts == nil { + opts = &kmeta.ListOptions{} + } + + vsList, err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).List(*opts) if err != nil { return nil, errors.WithStack(err) } - return service, nil + for i := range vsList.Items { + vsList.Items[i].SetGroupVersionKind(virtualServiceGVK) + } + return vsList.Items, nil +} + +func (c *Client) ListVirtualServicesByLabels(namespace string, labels map[string]string) ([]unstructured.Unstructured, error) { + opts := &kmeta.ListOptions{ + LabelSelector: LabelSelector(labels), + } + return c.ListVirtualServices(namespace, opts) +} + +func (c *Client) ListVirtualServicesByLabel(namespace string, labelKey string, labelValue string) ([]unstructured.Unstructured, error) { + return c.ListVirtualServicesByLabels(namespace, map[string]string{labelKey: labelValue}) } diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index 1586e34513..22602f1bf9 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -19,10 +19,11 @@ package workloads import ( "path" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + kapps "k8s.io/api/apps/v1" kautoscaling "k8s.io/api/autoscaling/v1" kcore "k8s.io/api/core/v1" - kextensions "k8s.io/api/extensions/v1beta1" kresource "k8s.io/apimachinery/pkg/api/resource" intstr "k8s.io/apimachinery/pkg/util/intstr" @@ -106,12 +107,12 @@ func (aw *APIWorkload) Start(ctx *context.Context) error { return errors.New(api.Name, "unknown model format encountered") // unexpected } - _, err = config.Kubernetes.ApplyIngress(ingressSpec(ctx, api)) + _, err = config.Kubernetes.ApplyService(serviceSpec(ctx, api)) if err != nil { return err } - _, err = config.Kubernetes.ApplyService(serviceSpec(ctx, api)) + _, err = config.Kubernetes.ApplyVirtualService(virtualServiceSpec(ctx, api)) if err != nil { return err } @@ -234,6 +235,9 @@ func tfAPISpec( "version": "v1", "apiName": api.Name, }, + Annotations: map[string]string{ + "sidecar.istio.io/inject": "true", + }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ "appName": ctx.App.Name, @@ -280,7 +284,7 @@ func tfAPISpec( Resources: kcore.ResourceRequirements{ Requests: transformResourceList, }, - Ports: []corev1.ContainerPort{ + Ports: []kcore.ContainerPort{ { ContainerPort: defaultPortInt32, }, @@ -314,7 +318,7 @@ func tfAPISpec( Requests: tfServingResourceList, Limits: tfServingLimitsList, }, - Ports: []corev1.ContainerPort{ + Ports: []kcore.ContainerPort{ { ContainerPort: tfServingPortInt32, }, @@ -327,8 +331,7 @@ func tfAPISpec( }, Namespace: config.Cortex.Namespace, } - //return k8s.Deployment(spec) - return spec + return k8s.Deployment(spec) } func onnxAPISpec( @@ -361,15 +364,18 @@ func onnxAPISpec( "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, - "service": WorkloadTypeAPI, - "app": WorkloadTypeAPI, + "service": workloadTypeAPI, + "app": workloadTypeAPI, }, Selector: map[string]string{ "appName": ctx.App.Name, "workloadType": workloadTypeAPI, "apiName": api.Name, - "service": WorkloadTypeAPI, - "app": WorkloadTypeAPI, + "service": workloadTypeAPI, + "app": workloadTypeAPI, + }, + Annotations: map[string]string{ + "sidecar.istio.io/inject": "true", }, PodSpec: k8s.PodSpec{ Labels: map[string]string{ @@ -379,8 +385,8 @@ func onnxAPISpec( "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, "userFacing": "true", - "service": WorkloadTypeAPI, - "app": WorkloadTypeAPI, + "service": workloadTypeAPI, + "app": workloadTypeAPI, }, K8sPodSpec: kcore.PodSpec{ Containers: []kcore.Container{ @@ -427,19 +433,24 @@ func onnxAPISpec( }) } -func virtualServiceSpec(ctx *context.Context, api *context.API) *k8s.VirtualServiceSpec { - return &k8s.VirtualServiceSpec{ +func virtualServiceSpec(ctx *context.Context, api *context.API) *unstructured.Unstructured { + return k8s.VirtualService(&k8s.VirtualServiceSpec{ Name: internalAPIName(api.Name, ctx.App.Name), Namespace: config.Cortex.Namespace, Gateways: []string{"apis-gateway"}, ServiceName: internalAPIName(api.Name, ctx.App.Name), ServicePort: defaultPortInt32, Path: context.APIPath(api.Name, ctx.App.Name), - } + Labels: map[string]string{ + "appName": ctx.App.Name, + "workloadType": workloadTypeAPI, + "apiName": api.Name, + }, + }) } -func serviceSpec(ctx *context.Context, api *context.API) *k8s.ServiceSpec { - return &k8s.ServiceSpec{ +func serviceSpec(ctx *context.Context, api *context.API) *kcore.Service { + return k8s.Service(&k8s.ServiceSpec{ Name: internalAPIName(api.Name, ctx.App.Name), Port: defaultPortInt32, Labels: map[string]string{ @@ -504,13 +515,13 @@ func doesAPIComputeNeedsUpdating(api *context.API, deployment *kapps.Deployment, } func deleteOldAPIs(ctx *context.Context) { - ingresses, _ := config.Kubernetes.ListIngressesByLabels(map[string]string{ + virtualServices, _ := config.Kubernetes.ListVirtualServicesByLabels(config.Cortex.Namespace, map[string]string{ "appName": ctx.App.Name, "workloadType": workloadTypeAPI, }) - for _, ingress := range ingresses { - if _, ok := ctx.APIs[ingress.Labels["apiName"]]; !ok { - config.Kubernetes.DeleteIngress(ingress.Name) + for _, virtualService := range virtualServices { + if _, ok := ctx.APIs[virtualService.GetLabels()["apiName"]]; !ok { + config.Kubernetes.DeleteVirtualService(config.Cortex.Namespace, virtualService.GetName()) } } @@ -545,30 +556,6 @@ func deleteOldAPIs(ctx *context.Context) { } } -func createServicesAndIngresses(ctx *context.Context) error { - for _, api := range ctx.APIs { - serviceExists, err := config.Kubernetes.ServiceExists(internalAPIName(api.Name, ctx.App.Name)) - if err != nil { - return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") - } - if !serviceExists { - if _, err := config.Kubernetes.CreateService(serviceSpec(ctx, api)); err != nil { - return errors.Wrap(err, ctx.App.Name, "services", api.Name, "create") - } - if _, err := config.Kubernetes.CreateVirtualService(virtualServiceSpec(ctx, api)); err != nil { - return errors.Wrap(err, ctx.App.Name, "virtualservices", api.Name, "create") - } - } - - spec := tfAPISpec(ctx, api, generateWorkloadID(), 1) - if _, err := config.Kubernetes.CreateDeployment(spec); err != nil { - return errors.Wrap(err, "yolo") - } - - } - return nil -} - // This returns map apiName -> deployment (not internalName -> deployment) func apiDeploymentMap(appName string) (map[string]*kapps.Deployment, error) { deploymentList, err := config.Kubernetes.ListDeploymentsByLabels(map[string]string{ diff --git a/pkg/operator/workloads/workflow.go b/pkg/operator/workloads/workflow.go index f74fa60af4..b2f8470b4d 100644 --- a/pkg/operator/workloads/workflow.go +++ b/pkg/operator/workloads/workflow.go @@ -143,9 +143,9 @@ func DeleteApp(appName string, keepCache bool) bool { for _, deployment := range deployments { config.Kubernetes.DeleteDeployment(deployment.Name) } - ingresses, _ := config.Kubernetes.ListIngressesByLabel("appName", appName) - for _, ingress := range ingresses { - config.Kubernetes.DeleteIngress(ingress.Name) + virtualServices, _ := config.Kubernetes.ListVirtualServicesByLabel(config.Cortex.Namespace, "appName", appName) + for _, virtualService := range virtualServices { + config.Kubernetes.DeleteVirtualService(virtualService.GetName(), config.Cortex.Namespace) } services, _ := config.Kubernetes.ListServicesByLabel("appName", appName) for _, service := range services { diff --git a/pkg/workloads/cortex/tf_api/api.py b/pkg/workloads/cortex/tf_api/api.py index 63a9787ffd..2c1dfaacd1 100644 --- a/pkg/workloads/cortex/tf_api/api.py +++ b/pkg/workloads/cortex/tf_api/api.py @@ -421,7 +421,6 @@ def validate_model_dir(model_dir): def start(args): serve(app, listen="*:{}".format(args.port)) - return ctx = Context(s3_path=args.context, cache_dir=args.cache_dir, workload_id=args.workload_id) api = ctx.apis_id_map[args.api] local_cache["api"] = api From 9807aa27b7de03b8ff63e3fb3437ce1d268c2035 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Thu, 18 Jul 2019 17:56:42 -0400 Subject: [PATCH 15/68] minor fixes --- docs/cluster/security.md | 2 +- manager/install_cortex.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/cluster/security.md b/docs/cluster/security.md index 64b7b3d43f..da9b631783 100644 --- a/docs/cluster/security.md +++ b/docs/cluster/security.md @@ -20,4 +20,4 @@ In order to connect to the operator via the CLI, you must provide valid AWS cred ## API access -By default, your Cortex APIs will be accessible to all traffic. You can restrict access using AWS security groups. Specifically, you will need to edit the security group with the description: "Security group for Kubernetes ELB (cortex/istio-ingressgateway)". +By default, your Cortex APIs will be accessible to all traffic. You can restrict access using AWS security groups. Specifically, you will need to edit the security group with the description: "Security group for Kubernetes ELB (istio-system/apis-ingressgateway)". diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index df5ad8bfa8..f02aae254e 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -130,7 +130,7 @@ function validate_cortex() { fi if [ "$operator_endpoint_reachable" != "ready" ]; then - if ! curl $operator_endpoint/operattor >/dev/null 2>&1; then + if ! curl $operator_endpoint >/dev/null 2>&1; then continue fi operator_endpoint_reachable="ready" From 6f455efb98b547ebcbd95dc46387a2a72e6b65c8 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 19 Jul 2019 14:40:55 -0400 Subject: [PATCH 16/68] progress --- cli/cmd/lib_client.go | 2 ++ cli/cmd/predict.go | 4 ++++ manager/manifests/apis.yaml | 4 ++++ manager/manifests/istio/values.yaml | 4 ++++ manager/manifests/operator.yaml | 12 +++++++----- pkg/operator/workloads/api_workload.go | 16 ++++++++-------- pkg/workloads/cortex/tf_api/api.py | 5 ----- 7 files changed, 29 insertions(+), 18 deletions(-) diff --git a/cli/cmd/lib_client.go b/cli/cmd/lib_client.go index 928a830845..7d109eb7bb 100644 --- a/cli/cmd/lib_client.go +++ b/cli/cmd/lib_client.go @@ -22,6 +22,7 @@ import ( "fmt" "io" "io/ioutil" + "log" "mime/multipart" "net/http" "os" @@ -261,6 +262,7 @@ func makeRequest(request *http.Request) ([]byte, error) { response, err := httpClient.Do(request) if err != nil { cliConfig := getValidCliConfig() + log.Println(err) return nil, ErrorFailedToConnect(cliConfig.CortexURL) } defer response.Body.Close() diff --git a/cli/cmd/predict.go b/cli/cmd/predict.go index 6069741d16..e0d61e0f4a 100644 --- a/cli/cmd/predict.go +++ b/cli/cmd/predict.go @@ -19,6 +19,7 @@ package cmd import ( "bytes" "fmt" + "log" "net/http" "strings" @@ -168,9 +169,12 @@ func makePredictRequest(apiURL string, samplesJSONPath string) (*PredictResponse return nil, errors.Wrap(err, errStrCantMakeRequest) } + log.Println(apiURL) + req.Header.Set("Content-Type", "application/json") httpResponse, err := makeRequest(req) if err != nil { + log.Println("yolo") return nil, err } diff --git a/manager/manifests/apis.yaml b/manager/manifests/apis.yaml index 1e629296ee..68657fc2cf 100644 --- a/manager/manifests/apis.yaml +++ b/manager/manifests/apis.yaml @@ -25,6 +25,10 @@ spec: number: 80 name: http protocol: HTTP + - port: + number: 443 + name: https + protocol: HTTPS hosts: - "*" diff --git a/manager/manifests/istio/values.yaml b/manager/manifests/istio/values.yaml index 72dc1a35e6..0e1ba04744 100644 --- a/manager/manifests/istio/values.yaml +++ b/manager/manifests/istio/values.yaml @@ -19,6 +19,8 @@ gateways: labels: app: operator-istio-gateway istio: operator-ingressgateway + serviceAnnotations: + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" replicaCount: 1 autoscaleMin: 1 autoscaleMax: 2 @@ -71,6 +73,8 @@ gateways: labels: app: apis-istio-gateway istio: apis-ingressgateway + serviceAnnotations: + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" replicaCount: 1 autoscaleMin: 1 autoscaleMax: 2 diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 4cb7fea23d..b8232e697f 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -103,7 +103,8 @@ spec: workloadID: operator ports: - port: 8888 - name: http + name: tcp + protocol: TCP selector: app: operator workloadID: operator @@ -123,6 +124,10 @@ spec: number: 80 name: http protocol: HTTP + - port: + number: 443 + name: https + protocol: HTTPS hosts: - "*" @@ -139,10 +144,7 @@ spec: gateways: - operator-gateway http: - - match: - - uri: - prefix: / - route: + - route: - destination: host: operator port: diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index 4576293f22..20f92a8b37 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -232,9 +232,9 @@ func tfAPISpec( Selector: map[string]string{ "appName": ctx.App.Name, "workloadType": workloadTypeAPI, + "apiName": api.Name, "app": internalAPIName(api.Name, ctx.App.Name), "version": "v1", - "apiName": api.Name, }, Annotations: map[string]string{ "sidecar.istio.io/inject": "true", @@ -327,7 +327,7 @@ func tfAPISpec( }, }, Volumes: k8s.DefaultVolumes(), - ServiceAccountName: "operator", + ServiceAccountName: "default", }, }, Namespace: config.Cortex.Namespace, @@ -365,15 +365,15 @@ func onnxAPISpec( "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, - "service": workloadTypeAPI, - "app": workloadTypeAPI, + "app": internalAPIName(api.Name, ctx.App.Name), + "version": "v1", }, Selector: map[string]string{ "appName": ctx.App.Name, "workloadType": workloadTypeAPI, "apiName": api.Name, - "service": workloadTypeAPI, - "app": workloadTypeAPI, + "app": internalAPIName(api.Name, ctx.App.Name), + "version": "v1", }, Annotations: map[string]string{ "sidecar.istio.io/inject": "true", @@ -385,9 +385,9 @@ func onnxAPISpec( "apiName": api.Name, "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, + "app": internalAPIName(api.Name, ctx.App.Name), + "version": "v1", "userFacing": "true", - "service": workloadTypeAPI, - "app": workloadTypeAPI, }, K8sPodSpec: kcore.PodSpec{ Containers: []kcore.Container{ diff --git a/pkg/workloads/cortex/tf_api/api.py b/pkg/workloads/cortex/tf_api/api.py index 2c1dfaacd1..ea333dd916 100644 --- a/pkg/workloads/cortex/tf_api/api.py +++ b/pkg/workloads/cortex/tf_api/api.py @@ -312,10 +312,6 @@ def prediction_failed(sample, reason=None): def health(): return jsonify({"ok": True}) -@app.route("//", methods=["GET"]) -def predict_index(deployment_name, api_name): - return jsonify({"ok": True}) - @app.route("//", methods=["POST"]) def predict(deployment_name, api_name): @@ -420,7 +416,6 @@ def validate_model_dir(model_dir): def start(args): - serve(app, listen="*:{}".format(args.port)) ctx = Context(s3_path=args.context, cache_dir=args.cache_dir, workload_id=args.workload_id) api = ctx.apis_id_map[args.api] local_cache["api"] = api From 55884bc8a940c180a18f94d7e3f78af781ad140d Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 22 Jul 2019 11:38:22 -0400 Subject: [PATCH 17/68] https progress --- manager/manifests/apis.yaml | 5 ----- manager/manifests/istio/values.yaml | 4 ++++ manager/manifests/operator.yaml | 8 +------- 3 files changed, 5 insertions(+), 12 deletions(-) diff --git a/manager/manifests/apis.yaml b/manager/manifests/apis.yaml index 68657fc2cf..4018f8840d 100644 --- a/manager/manifests/apis.yaml +++ b/manager/manifests/apis.yaml @@ -25,11 +25,6 @@ spec: number: 80 name: http protocol: HTTP - - port: - number: 443 - name: https - protocol: HTTPS hosts: - "*" - --- diff --git a/manager/manifests/istio/values.yaml b/manager/manifests/istio/values.yaml index 0e1ba04744..b3116883a0 100644 --- a/manager/manifests/istio/values.yaml +++ b/manager/manifests/istio/values.yaml @@ -21,6 +21,8 @@ gateways: istio: operator-ingressgateway serviceAnnotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" replicaCount: 1 autoscaleMin: 1 autoscaleMax: 2 @@ -75,6 +77,8 @@ gateways: istio: apis-ingressgateway serviceAnnotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" replicaCount: 1 autoscaleMin: 1 autoscaleMax: 2 diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index b8232e697f..1433a93887 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -103,8 +103,7 @@ spec: workloadID: operator ports: - port: 8888 - name: tcp - protocol: TCP + name: http selector: app: operator workloadID: operator @@ -124,13 +123,8 @@ spec: number: 80 name: http protocol: HTTP - - port: - number: 443 - name: https - protocol: HTTPS hosts: - "*" - --- apiVersion: networking.istio.io/v1alpha3 From f6da3fc36c941c02fd68a9bfbda7351d6c3661fc Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Tue, 23 Jul 2019 16:55:55 -0400 Subject: [PATCH 18/68] https --- cli/cmd/lib_client.go | 2 -- cli/cmd/predict.go | 4 ---- images/manager/Dockerfile | 7 ++++++- manager/install_cortex.sh | 2 +- manager/manifests/apis.yaml | 11 +++++++++++ manager/manifests/istio/values.yaml | 10 ++-------- manager/manifests/operator.yaml | 11 +++++++++++ 7 files changed, 31 insertions(+), 16 deletions(-) diff --git a/cli/cmd/lib_client.go b/cli/cmd/lib_client.go index 7d109eb7bb..928a830845 100644 --- a/cli/cmd/lib_client.go +++ b/cli/cmd/lib_client.go @@ -22,7 +22,6 @@ import ( "fmt" "io" "io/ioutil" - "log" "mime/multipart" "net/http" "os" @@ -262,7 +261,6 @@ func makeRequest(request *http.Request) ([]byte, error) { response, err := httpClient.Do(request) if err != nil { cliConfig := getValidCliConfig() - log.Println(err) return nil, ErrorFailedToConnect(cliConfig.CortexURL) } defer response.Body.Close() diff --git a/cli/cmd/predict.go b/cli/cmd/predict.go index 63b3237825..a55d71742e 100644 --- a/cli/cmd/predict.go +++ b/cli/cmd/predict.go @@ -19,7 +19,6 @@ package cmd import ( "bytes" "fmt" - "log" "net/http" "strings" @@ -170,12 +169,9 @@ func makePredictRequest(apiURL string, samplesJSONPath string) (*PredictResponse return nil, errors.Wrap(err, errStrCantMakeRequest) } - log.Println(apiURL) - req.Header.Set("Content-Type", "application/json") httpResponse, err := makeRequest(req) if err != nil { - log.Println("yolo") return nil, err } diff --git a/images/manager/Dockerfile b/images/manager/Dockerfile index 52149cca04..31b79ca6ed 100644 --- a/images/manager/Dockerfile +++ b/images/manager/Dockerfile @@ -7,7 +7,7 @@ ENV PATH /root/.local/bin:$PATH RUN pip3 install awscli --upgrade --user && \ rm -rf /root/.cache/pip* -RUN apk add --no-cache bash curl gettext jq +RUN apk add --no-cache bash curl gettext jq git openssl RUN curl --location "https://github.com/weaveworks/eksctl/releases/download/0.1.40/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp && \ mv /tmp/eksctl /usr/local/bin @@ -27,4 +27,9 @@ RUN curl -LO https://get.helm.sh/helm-v2.14.1-linux-amd64.tar.gz && \ COPY manager /root +RUN git clone https://github.com/nicholasjackson/mtls-go-example && \ + cd /root/mtls-go-example && \ + yes | ./generate.sh cortex.example.com cortex && \ + mkdir ../cortex.example.com && mv 1_root 2_intermediate 3_application 4_client ../cortex.example.com + ENTRYPOINT ["/bin/bash"] diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index f02aae254e..5c88ca9d9f 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -174,8 +174,8 @@ setup_secrets envsubst < manifests/spark.yaml | kubectl apply -f - >/dev/null envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null - kubectl create namespace istio-system +kubectl create -n istio-system secret tls istio-customgateway-certs --key cortex.example.com/3_application/private/cortex.example.com.key.pem --cert cortex.example.com/3_application/certs/cortex.example.com.cert.pem helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - sleep 20 helm template manifests/istio --name istio --namespace istio-system | kubectl apply -f - diff --git a/manager/manifests/apis.yaml b/manager/manifests/apis.yaml index 4018f8840d..1fa8ad1efe 100644 --- a/manager/manifests/apis.yaml +++ b/manager/manifests/apis.yaml @@ -27,4 +27,15 @@ spec: protocol: HTTP hosts: - "*" + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + serverCertificate: /etc/istio/customgateway-certs/tls.crt + privateKey: /etc/istio/customgateway-certs/tls.key + --- diff --git a/manager/manifests/istio/values.yaml b/manager/manifests/istio/values.yaml index b3116883a0..b1db2a60e2 100644 --- a/manager/manifests/istio/values.yaml +++ b/manager/manifests/istio/values.yaml @@ -13,16 +13,14 @@ # gateways: enabled: true + istio-ingressgateway: + enabled: false operator-ingressgateway: namespace: istio-system enabled: true labels: app: operator-istio-gateway istio: operator-ingressgateway - serviceAnnotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" - service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" replicaCount: 1 autoscaleMin: 1 autoscaleMax: 2 @@ -75,10 +73,6 @@ gateways: labels: app: apis-istio-gateway istio: apis-ingressgateway - serviceAnnotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" - service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" replicaCount: 1 autoscaleMin: 1 autoscaleMax: 2 diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 1433a93887..de4c910cbb 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -125,6 +125,17 @@ spec: protocol: HTTP hosts: - "*" + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*" + tls: + mode: SIMPLE + serverCertificate: /etc/istio/customgateway-certs/tls.crt + privateKey: /etc/istio/customgateway-certs/tls.key + --- apiVersion: networking.istio.io/v1alpha3 From 4b99f50d1ac04c5acc3985de54aa35ce65f4c849 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 09:22:45 -0400 Subject: [PATCH 19/68] generate random password --- images/manager/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/images/manager/Dockerfile b/images/manager/Dockerfile index 31b79ca6ed..db9365b93b 100644 --- a/images/manager/Dockerfile +++ b/images/manager/Dockerfile @@ -7,7 +7,7 @@ ENV PATH /root/.local/bin:$PATH RUN pip3 install awscli --upgrade --user && \ rm -rf /root/.cache/pip* -RUN apk add --no-cache bash curl gettext jq git openssl +RUN apk add --no-cache bash curl gettext jq git openssl pwgen RUN curl --location "https://github.com/weaveworks/eksctl/releases/download/0.1.40/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp && \ mv /tmp/eksctl /usr/local/bin @@ -29,7 +29,7 @@ COPY manager /root RUN git clone https://github.com/nicholasjackson/mtls-go-example && \ cd /root/mtls-go-example && \ - yes | ./generate.sh cortex.example.com cortex && \ + PW=$(pwgen -Bs1 12) && yes | ./generate.sh cortex.example.com $PW && \ mkdir ../cortex.example.com && mv 1_root 2_intermediate 3_application 4_client ../cortex.example.com ENTRYPOINT ["/bin/bash"] From 23c3f5a9b88317d167ab268be19dec09b21a9144 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 10:47:32 -0400 Subject: [PATCH 20/68] remove istio READMEs and examples --- manager/manifests/istio-init/README.md | 77 ---------- .../manifests/istio/example-values/README.md | 5 - .../values-istio-example-sds-vault.yaml | 27 ---- .../example-values/values-istio-gateways.yaml | 135 ------------------ .../example-values/values-istio-googleca.yaml | 22 --- .../values-istio-multicluster-gateways.yaml | 27 ---- .../istio/values-istio-demo-auth.yaml | 82 ----------- .../manifests/istio/values-istio-demo.yaml | 83 ----------- .../manifests/istio/values-istio-minimal.yaml | 46 ------ .../manifests/istio/values-istio-remote.yaml | 34 ----- .../istio/values-istio-sds-auth.yaml | 20 --- manager/manifests/operator.yaml | 3 - pkg/operator/workloads/api_workload.go | 6 - 13 files changed, 567 deletions(-) delete mode 100644 manager/manifests/istio-init/README.md delete mode 100644 manager/manifests/istio/example-values/README.md delete mode 100644 manager/manifests/istio/example-values/values-istio-example-sds-vault.yaml delete mode 100644 manager/manifests/istio/example-values/values-istio-gateways.yaml delete mode 100644 manager/manifests/istio/example-values/values-istio-googleca.yaml delete mode 100644 manager/manifests/istio/example-values/values-istio-multicluster-gateways.yaml delete mode 100644 manager/manifests/istio/values-istio-demo-auth.yaml delete mode 100644 manager/manifests/istio/values-istio-demo.yaml delete mode 100644 manager/manifests/istio/values-istio-minimal.yaml delete mode 100644 manager/manifests/istio/values-istio-remote.yaml delete mode 100644 manager/manifests/istio/values-istio-sds-auth.yaml diff --git a/manager/manifests/istio-init/README.md b/manager/manifests/istio-init/README.md deleted file mode 100644 index 9a1330bf05..0000000000 --- a/manager/manifests/istio-init/README.md +++ /dev/null @@ -1,77 +0,0 @@ -# Istio - -[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. - -## Introduction - -This chart bootstraps Istio's [CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) -which are an internal implementation detail of Istio. CRDs define data structures for storing runtime configuration -specified by a human operator. - -This chart must be run to completion prior to running other Istio charts, or other Istio charts will fail to initialize. - -## Prerequisites - -- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required -- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required - -## Resources Required - -The chart deploys pods that consume minimal resources. - -## Installing the Chart - -1. If a service account has not already been installed for Tiller, install one: - ``` - $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml - ``` - -1. If Tiller has not already been installed in your cluster, Install Tiller on your cluster with the service account: - ``` - $ helm init --service-account tiller - ``` - -1. Install the Istio initializer chart: - ``` - $ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system - ``` - - > Although you can install the `istio-init` chart to any namespace, it is recommended to install `istio-init` in the same namespace(`istio-system`) as other Istio charts. - -## Configuration - -The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. -To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. - -Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: - -| Parameter | Description | Values | Default | -| --- | --- | --- | --- | -| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` | -| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | -| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | - - -## Uninstalling the Chart - -> Uninstalling this chart does not delete Istio's registered CRDs. Istio by design expects -> CRDs to leak into the Kubernetes environment. As CRDs contain all runtime configuration -> data in CustomResources the Istio designers feel it is better to explicitly delete this -> configuration rather then unexpectedly lose it. - -To uninstall/delete the `istio-init` release but continue to track the release: - ``` - $ helm delete istio-init - ``` - -To uninstall/delete the `istio-init` release completely and make its name free for later use: - ``` - $ helm delete istio-init --purge - ``` - -> Warning: Deleting CRDs will delete any configuration that you have made to Istio. - -To delete all CRDs, run the following command - ``` - $ for i in istio-init/files/*crd*yaml; do kubectl delete -f $i; done - ``` diff --git a/manager/manifests/istio/example-values/README.md b/manager/manifests/istio/example-values/README.md deleted file mode 100644 index 74fedcb607..0000000000 --- a/manager/manifests/istio/example-values/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Example Values - -These files provide various example values for different Istio setups. - -To use them, [read the docs](https://istio.io/docs/setup/kubernetes/helm-install/) and add the flag `--values example-file.yaml`. diff --git a/manager/manifests/istio/example-values/values-istio-example-sds-vault.yaml b/manager/manifests/istio/example-values/values-istio-example-sds-vault.yaml deleted file mode 100644 index cf097c7f18..0000000000 --- a/manager/manifests/istio/example-values/values-istio-example-sds-vault.yaml +++ /dev/null @@ -1,27 +0,0 @@ -global: - controlPlaneSecurityEnabled: false - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: true - - sds: - enabled: true - udsPath: "unix:/var/run/sds/uds_path" - useNormalJwt: true - -nodeagent: - enabled: true - image: node-agent-k8s - env: - # The IP address and the port number of a publicly accessible example Vault server. - CA_ADDR: "https://34.83.129.211:8200" - CA_PROVIDER: "VaultCA" - VALID_TOKEN: true - # The IP address and the port number of a publicly accessible example Vault server. - VAULT_ADDR: "https://34.83.129.211:8200" - VAULT_AUTH_PATH: "auth/kubernetes/login" - VAULT_ROLE: "istio-cert" - VAULT_SIGN_CSR_PATH: "istio_ca/sign/istio-pki-role" - VAULT_TLS_ROOT_CERT: '-----BEGIN CERTIFICATE-----\nMIIC3jCCAcagAwIBAgIRAO1S7vuRQmo2He+RtBq3fv8wDQYJKoZIhvcNAQELBQAw\nEDEOMAwGA1UEChMFVmF1bHQwIBcNMTkwNDI3MTY1ODE1WhgPMjExOTA0MDMxNjU4\nMTVaMBAxDjAMBgNVBAoTBVZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA7/CTbnENEIvFZg9hmVtYnOx3OfMy/GNCuP7sqtAeVVTopAKKkcAAWQck\nrhpBooEGpCugNxXGNCuJh/2nu0AfGFRfdafwSJRoI6yHwQouDm0o4r3h9uL3tu5N\nD+x9j+eejbFsoZVn84CxGkEB6oyeXYHjc6eWh3PFGMtKuOQD4pezvDH0yNCx5waK\nhtPuYtl0ebfdbyh+WQuptO+Q9VSaQNqE3ipZ461y8PduwRRll241W0gQB2iasX03\nD36F2ZrMz3KEVRVKM1yCUDCy2RPJqkXPdnVMWmDGbe8Uw69zr25JltzuRZFT9HL3\nY1RnMTecmSc4ikTUHcMhFX3PYbfR5wIDAQABozEwLzAOBgNVHQ8BAf8EBAMCBaAw\nDAYDVR0TAQH/BAIwADAPBgNVHREECDAGhwQiU4HTMA0GCSqGSIb3DQEBCwUAA4IB\nAQCdLh6olDVQB71LD6srbfAE4EsxLEBbIRnv7Nf1S0KQwgW/QxK8DHBwJBxJkr1N\nzgEPx86f2Fo2UsY9m6rvgP3+iquyMsKi0ooUah3y3LSnONuZcdfSTl/HYd38S6Dp\nVkVOZ7781xxpFVUqQ5voQX1Y1Ipn5qw0FyIcNYWLkNX+iMf1b9kpEIWQNhRC/Yiv\nTS0VA/BzQemGyf2UB6QsuZLH+JFEZnzU859qURnNIITa1Wf4YUtka5Sp1kDnEll3\nwj4IlXKU+Wl1CzxJyn4SSQAXy/Lb08ZKrF/YSzcIISnRX5j+wa8ApOSwwA/B7iaT\nTWz1g+RlV9qHap70eIjPsQvb\n-----END CERTIFICATE-----' \ No newline at end of file diff --git a/manager/manifests/istio/example-values/values-istio-gateways.yaml b/manager/manifests/istio/example-values/values-istio-gateways.yaml deleted file mode 100644 index b9930d0a0b..0000000000 --- a/manager/manifests/istio/example-values/values-istio-gateways.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Common settings. -global: - # Omit the istio-sidecar-injector configmap when generate a - # standalone gateway. Gateways may be created in namespaces other - # than `istio-system` and we don't want to re-create the injector - # configmap in those. - omitSidecarInjectorConfigMap: true - - # Istio control plane namespace: This specifies where the Istio control - # plane was installed earlier. Modify this if you installed the control - # plane in a different namespace than istio-system. - istioNamespace: istio-system - - proxy: - # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument - # would be :). - # Disabled by default. - # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. - envoyStatsd: - # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. - enabled: false - host: # example: statsd-svc.istio-system - port: # example: 9125 - - -# -# Gateways Configuration -# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. -# You can add more gateways in addition to the defaults but make sure those are uniquely named -# and that NodePorts are not conflicting. -# Disable specific gateway by setting the `enabled` to false. -# -gateways: - enabled: true - - custom-gateway: - enabled: true - labels: - app: custom-gateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 5 - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - #requests: - # cpu: 1800m - # memory: 256Mi - cpu: - targetAverageUtilization: 80 - loadBalancerIP: "" - loadBalancerSourceRanges: {} - externalIPs: [] - serviceAnnotations: {} - podAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out - ports: - ## You can add custom gateway ports - - port: 80 - targetPort: 80 - name: http2 - # nodePort: 31380 - - port: 443 - name: https - # nodePort: 31390 - - port: 31400 - name: tcp - # nodePort: 31400 - # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect - # to pilot/citadel if global.meshExpansion settings are enabled. - - port: 15011 - targetPort: 15011 - name: tcp-pilot-grpc-tls - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - # Addon ports for kiali are enabled in gateway - but will only redirect if - # the gateway configuration for the various components are enabled. - - port: 15029 - targetPort: 15029 - name: http2-kiali - # Telemetry-related ports are enabled in gateway - but will only redirect if - # the gateway configuration for the various components are enabled. - - port: 15030 - targetPort: 15030 - name: http2-prometheus - - port: 15031 - targetPort: 15031 - name: http2-grafana - - port: 15032 - targetPort: 15032 - name: http2-tracing - secretVolumes: - - name: customgateway-certs - secretName: istio-customgateway-certs - mountPath: /etc/istio/customgateway-certs - - name: customgateway-ca-certs - secretName: istio-customgateway-ca-certs - mountPath: /etc/istio/customgateway-ca-certs - -# all other components are disabled except the gateways -security: - enabled: false - -sidecarInjectorWebhook: - enabled: false - -galley: - enabled: false - -mixer: - policy: - enabled: false - telemetry: - enabled: false - -pilot: - enabled: false - -grafana: - enabled: false - -prometheus: - enabled: false - -tracing: - enabled: false - -kiali: - enabled: false - -certmanager: - enabled: false diff --git a/manager/manifests/istio/example-values/values-istio-googleca.yaml b/manager/manifests/istio/example-values/values-istio-googleca.yaml deleted file mode 100644 index e0c633ea1d..0000000000 --- a/manager/manifests/istio/example-values/values-istio-googleca.yaml +++ /dev/null @@ -1,22 +0,0 @@ -global: - controlPlaneSecurityEnabled: false - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: true - - sds: - enabled: true - udsPath: "unix:/var/run/sds/uds_path" - useTrustworthyJwt: true - - trustDomain: "" - -nodeagent: - enabled: true - image: node-agent-k8s - env: - CA_PROVIDER: "GoogleCA" - CA_ADDR: "istioca.googleapis.com:443" - Plugins: "GoogleTokenExchange" diff --git a/manager/manifests/istio/example-values/values-istio-multicluster-gateways.yaml b/manager/manifests/istio/example-values/values-istio-multicluster-gateways.yaml deleted file mode 100644 index 3524a3d478..0000000000 --- a/manager/manifests/istio/example-values/values-istio-multicluster-gateways.yaml +++ /dev/null @@ -1,27 +0,0 @@ -global: - # Provides dns resolution for global services - podDNSSearchNamespaces: - - global - - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - multiCluster: - enabled: true - - controlPlaneSecurityEnabled: true - -# Multicluster with gateways requires a root CA -# Cluster local CAs are bootstrapped with the root CA. -security: - selfSigned: false - -# Provides dns resolution for service entries of form -# name.namespace.global -istiocoredns: - enabled: true - -gateways: - istio-egressgateway: - enabled: true - env: - # Needed to route traffic via egress gateway if desired. - ISTIO_META_REQUESTED_NETWORK_VIEW: "external" diff --git a/manager/manifests/istio/values-istio-demo-auth.yaml b/manager/manifests/istio/values-istio-demo-auth.yaml deleted file mode 100644 index 931a8d9954..0000000000 --- a/manager/manifests/istio/values-istio-demo-auth.yaml +++ /dev/null @@ -1,82 +0,0 @@ -# This is used to generate minimal demo mode. It is included from demo and demo-auth values. -# It is shipped with the release, used for bookinfo or quick installation of istio. -# Includes components used in the demo, defaults to alpha3 rules. -# Note: please only put common configuration for the demo profiles here. -global: - proxy: - accessLogFile: "/dev/stdout" - resources: - requests: - cpu: 10m - memory: 40Mi - - disablePolicyChecks: false - -sidecarInjectorWebhook: - enabled: true - # If true, webhook or istioctl injector will rewrite PodSpec for liveness - # health check to redirect request to sidecar. This makes liveness check work - # even when mTLS is enabled. - rewriteAppHTTPProbe: false - -pilot: - traceSampling: 100.0 - resources: - requests: - cpu: 10m - memory: 100Mi - -mixer: - policy: - enabled: true - resources: - requests: - cpu: 10m - memory: 100Mi - - telemetry: - enabled: true - resources: - requests: - cpu: 50m - memory: 100Mi - - adapters: - stdio: - enabled: true - -grafana: - enabled: true - -tracing: - enabled: true - -kiali: - enabled: true - createDemoSecret: true - -gateways: - istio-ingressgateway: - resources: - requests: - cpu: 10m - memory: 40Mi - - istio-egressgateway: - enabled: true - resources: - requests: - cpu: 10m - memory: 40Mi -# This is used to generate istio-auth.yaml for minimal, demo mode with MTLS enabled. -# It is shipped with the release, used for bookinfo or quick installation of istio. -# Includes components used in the demo, defaults to alpha3 rules. - -# @include -global: - controlPlaneSecurityEnabled: true - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: true diff --git a/manager/manifests/istio/values-istio-demo.yaml b/manager/manifests/istio/values-istio-demo.yaml deleted file mode 100644 index 9af8346093..0000000000 --- a/manager/manifests/istio/values-istio-demo.yaml +++ /dev/null @@ -1,83 +0,0 @@ -# This is used to generate minimal demo mode. It is included from demo and demo-auth values. -# It is shipped with the release, used for bookinfo or quick installation of istio. -# Includes components used in the demo, defaults to alpha3 rules. -# Note: please only put common configuration for the demo profiles here. -global: - proxy: - accessLogFile: "/dev/stdout" - resources: - requests: - cpu: 10m - memory: 40Mi - - disablePolicyChecks: false - -sidecarInjectorWebhook: - enabled: true - # If true, webhook or istioctl injector will rewrite PodSpec for liveness - # health check to redirect request to sidecar. This makes liveness check work - # even when mTLS is enabled. - rewriteAppHTTPProbe: false - -pilot: - traceSampling: 100.0 - resources: - requests: - cpu: 10m - memory: 100Mi - -mixer: - policy: - enabled: true - resources: - requests: - cpu: 10m - memory: 100Mi - - telemetry: - enabled: true - resources: - requests: - cpu: 50m - memory: 100Mi - - adapters: - stdio: - enabled: true - -grafana: - enabled: true - -tracing: - enabled: true - -kiali: - enabled: true - createDemoSecret: true - -gateways: - istio-ingressgateway: - resources: - requests: - cpu: 10m - memory: 40Mi - - istio-egressgateway: - enabled: true - resources: - requests: - cpu: 10m - memory: 40Mi -# This is used to generate istio.yaml for minimal, demo mode. -# It is shipped with the release, used for bookinfo or quick installation of istio. -# Includes components used in the demo, defaults to alpha3 rules. - -# @include -# -global: - controlPlaneSecurityEnabled: false - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: false diff --git a/manager/manifests/istio/values-istio-minimal.yaml b/manager/manifests/istio/values-istio-minimal.yaml deleted file mode 100644 index eb92536e80..0000000000 --- a/manager/manifests/istio/values-istio-minimal.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# -# Minimal Istio Configuration: https://istio.io/docs/setup/kubernetes/minimal-install/ -# -pilot: - enabled: true - sidecar: false - -gateways: - enabled: false - -security: - enabled: false - -sidecarInjectorWebhook: - enabled: false - -galley: - enabled: false - -mixer: - policy: - enabled: false - telemetry: - enabled: false - -prometheus: - enabled: false - - -# Common settings. -global: - - proxy: - # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument - # would be :). - # Disabled by default. - # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. - envoyStatsd: - # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. - enabled: false - host: # example: statsd-svc.istio-system - port: # example: 9125 - - useMCP: false - - diff --git a/manager/manifests/istio/values-istio-remote.yaml b/manager/manifests/istio/values-istio-remote.yaml deleted file mode 100644 index 20fe2ac3dd..0000000000 --- a/manager/manifests/istio/values-istio-remote.yaml +++ /dev/null @@ -1,34 +0,0 @@ -gateways: - enabled: false - -galley: - enabled: false - -mixer: - policy: - enabled: false - telemetry: - enabled: false - -pilot: - enabled: false - -security: - enabled: true - createMeshPolicy: false - -prometheus: - enabled: false - -global: - istioRemote: true - - enableTracing: false - - # Sets an identifier for the remote network to be used for Split Horizon EDS. The network will be sent - # to the Pilot when connected by the sidecar and will affect the results returned in EDS requests. - # Based on the network identifier Pilot will return all local endpoints + endpoints of gateways to - # other networks. - # - # Must match the names in the meshNetworks section in the Istio local. - network: "" diff --git a/manager/manifests/istio/values-istio-sds-auth.yaml b/manager/manifests/istio/values-istio-sds-auth.yaml deleted file mode 100644 index a741bfdcfc..0000000000 --- a/manager/manifests/istio/values-istio-sds-auth.yaml +++ /dev/null @@ -1,20 +0,0 @@ -global: - controlPlaneSecurityEnabled: false - - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: true - - sds: - enabled: true - udsPath: "unix:/var/run/sds/uds_path" - useNormalJwt: true - -nodeagent: - enabled: true - image: node-agent-k8s - env: - CA_PROVIDER: "Citadel" - CA_ADDR: "istio-citadel:8060" - VALID_TOKEN: true \ No newline at end of file diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index de4c910cbb..ed8dadc3b0 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -43,19 +43,16 @@ metadata: workloadType: operator workloadID: operator app: operator - version: v1 spec: replicas: 1 selector: matchLabels: workloadID: operator app: operator - version: v1 template: metadata: labels: app: operator - version: v1 workloadID: operator workloadType: operator annotations: diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index 7d234c0f33..ff07c0a371 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -275,14 +275,12 @@ func tfAPISpec( "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, "app": internalAPIName(api.Name, ctx.App.Name), - "version": "v1", }, Selector: map[string]string{ "appName": ctx.App.Name, "workloadType": workloadTypeAPI, "apiName": api.Name, "app": internalAPIName(api.Name, ctx.App.Name), - "version": "v1", }, Annotations: map[string]string{ "sidecar.istio.io/inject": "true", @@ -295,7 +293,6 @@ func tfAPISpec( "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, "app": internalAPIName(api.Name, ctx.App.Name), - "version": "v1", "userFacing": "true", }, K8sPodSpec: kcore.PodSpec{ @@ -414,14 +411,12 @@ func onnxAPISpec( "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, "app": internalAPIName(api.Name, ctx.App.Name), - "version": "v1", }, Selector: map[string]string{ "appName": ctx.App.Name, "workloadType": workloadTypeAPI, "apiName": api.Name, "app": internalAPIName(api.Name, ctx.App.Name), - "version": "v1", }, Annotations: map[string]string{ "sidecar.istio.io/inject": "true", @@ -434,7 +429,6 @@ func onnxAPISpec( "resourceID": ctx.APIs[api.Name].ID, "workloadID": workloadID, "app": internalAPIName(api.Name, ctx.App.Name), - "version": "v1", "userFacing": "true", }, K8sPodSpec: kcore.PodSpec{ From 3585277908c062b4f2b2077629cd7692b79cc931 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 11:05:58 -0400 Subject: [PATCH 21/68] clean up --- pkg/lib/k8s/virtual_service.go | 11 +++++------ pkg/operator/operator.go | 5 +++-- pkg/workloads/cortex/tf_api/api.py | 1 - 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index 813984f1b9..930679642d 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -20,12 +20,11 @@ import ( "github.com/cortexlabs/cortex/pkg/lib/errors" kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" ) -var virtualServiceTypeMeta = metav1.TypeMeta{ +var virtualServiceTypeMeta = kmeta.TypeMeta{ APIVersion: "v1alpha3", Kind: "VirtualService", } @@ -94,7 +93,7 @@ func (c *Client) CreateVirtualService(spec *unstructured.Unstructured) (*unstruc virtualService, err := c.dynamicClient. Resource(virtualServiceGVR). Namespace(spec.GetNamespace()). - Create(spec, metav1.CreateOptions{ + Create(spec, kmeta.CreateOptions{ TypeMeta: virtualServiceTypeMeta, }) if err != nil { @@ -107,7 +106,7 @@ func (c *Client) UpdateVirtualService(spec *unstructured.Unstructured) (*unstruc virtualService, err := c.dynamicClient. Resource(virtualServiceGVR). Namespace(spec.GetNamespace()). - Update(spec, metav1.UpdateOptions{ + Update(spec, kmeta.UpdateOptions{ TypeMeta: virtualServiceTypeMeta, }) if err != nil { @@ -129,7 +128,7 @@ func (c *Client) ApplyVirtualService(spec *unstructured.Unstructured) (*unstruct } func (c *Client) GetVirtualService(name, namespace string) (*unstructured.Unstructured, error) { - virtualService, err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).Get(name, metav1.GetOptions{ + virtualService, err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).Get(name, kmeta.GetOptions{ TypeMeta: virtualServiceTypeMeta, }) @@ -143,7 +142,7 @@ func (c *Client) GetVirtualService(name, namespace string) (*unstructured.Unstru } func (c *Client) DeleteVirtualService(name, namespace string) (bool, error) { - err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).Delete(name, &metav1.DeleteOptions{ + err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).Delete(name, &kmeta.DeleteOptions{ TypeMeta: virtualServiceTypeMeta, }) if kerrors.IsNotFound(err) { diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 3d8cea8174..4397059568 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -53,10 +53,11 @@ func main() { router := mux.NewRouter() router.Use(panicMiddleware) + router.HandleFunc("/", Index).Methods("GET") + router.Use(apiVersionCheckMiddleware) router.Use(authMiddleware) - router.HandleFunc("/", Index).Methods("GET") router.HandleFunc("/deploy", endpoints.Deploy).Methods("POST") router.HandleFunc("/delete", endpoints.Delete).Methods("POST") router.HandleFunc("/resources", endpoints.GetResources).Methods("GET") @@ -70,7 +71,7 @@ func main() { func Index(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/plain") w.WriteHeader(http.StatusOK) - w.Write([]byte(".")) + w.Write([]byte("🚀")) } func panicMiddleware(next http.Handler) http.Handler { diff --git a/pkg/workloads/cortex/tf_api/api.py b/pkg/workloads/cortex/tf_api/api.py index 3dce57e7fa..b5333381d8 100644 --- a/pkg/workloads/cortex/tf_api/api.py +++ b/pkg/workloads/cortex/tf_api/api.py @@ -508,7 +508,6 @@ def start(args): logger.info("Serving model: {}".format(util.remove_resource_ref(api["model"]))) serve(app, listen="*:{}".format(args.port)) - return def main(): parser = argparse.ArgumentParser() From 37878547f8a95a9f91384ae42d6428f1e62802dc Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 11:14:58 -0400 Subject: [PATCH 22/68] format --- .../istio-init/templates/serviceaccount.yaml | 1 - .../charts/certmanager/templates/NOTES.txt | 2 +- .../certmanager/templates/deployment.yaml | 2 +- .../charts/galley/templates/configmap.yaml | 2 +- .../charts/galley/templates/deployment.yaml | 2 +- .../gateways/templates/preconfigured.yaml | 4 +- .../gateways/templates/serviceaccount.yaml | 1 - .../istio/charts/gateways/values.yaml | 2 +- .../charts/grafana/templates/service.yaml | 2 +- .../istio/charts/mixer/templates/config.yaml | 6 +-- .../istio/charts/mixer/templates/service.yaml | 1 - .../nodeagent/templates/clusterrole.yaml | 2 +- .../templates/clusterrolebinding.yaml | 2 +- .../charts/nodeagent/templates/daemonset.yaml | 2 +- .../nodeagent/templates/serviceaccount.yaml | 2 +- .../istio/charts/nodeagent/values.yaml | 2 +- .../charts/pilot/templates/meshexpansion.yaml | 1 - .../prometheus/templates/configmap.yaml | 2 +- .../templates/mutatingwebhook.yaml | 1 - .../templates/poddisruptionbudget.yaml | 2 +- .../charts/sidecarInjectorWebhook/values.yaml | 2 +- .../tracing/templates/service-jaeger.yaml | 1 - .../istio/charts/tracing/values.yaml | 1 - .../istio/files/injection-template.yaml | 2 +- manager/manifests/istio/templates/NOTES.txt | 2 +- .../manifests/istio/templates/configmap.yaml | 30 +++++++------- pkg/lib/configreader/reader.go | 2 +- pkg/lib/k8s/virtual_service.go | 40 ++++++++++--------- pkg/workloads/cortex/tf_api/api.py | 2 + 29 files changed, 60 insertions(+), 63 deletions(-) diff --git a/manager/manifests/istio-init/templates/serviceaccount.yaml b/manager/manifests/istio-init/templates/serviceaccount.yaml index dce901750e..f9d7bc2144 100644 --- a/manager/manifests/istio-init/templates/serviceaccount.yaml +++ b/manager/manifests/istio-init/templates/serviceaccount.yaml @@ -6,4 +6,3 @@ metadata: labels: app: istio-init istio: init - diff --git a/manager/manifests/istio/charts/certmanager/templates/NOTES.txt b/manager/manifests/istio/charts/certmanager/templates/NOTES.txt index 0307ede4ca..44893d41a3 100644 --- a/manager/manifests/istio/charts/certmanager/templates/NOTES.txt +++ b/manager/manifests/istio/charts/certmanager/templates/NOTES.txt @@ -3,4 +3,4 @@ certmanager has been deployed successfully! More information on the different types of issuers and how to configure them can be found in our documentation: -https://cert-manager.readthedocs.io/en/latest/reference/issuers.html \ No newline at end of file +https://cert-manager.readthedocs.io/en/latest/reference/issuers.html diff --git a/manager/manifests/istio/charts/certmanager/templates/deployment.yaml b/manager/manifests/istio/charts/certmanager/templates/deployment.yaml index fc9eacc5d0..e904da791c 100644 --- a/manager/manifests/istio/charts/certmanager/templates/deployment.yaml +++ b/manager/manifests/istio/charts/certmanager/templates/deployment.yaml @@ -19,7 +19,7 @@ spec: app: certmanager chart: {{ template "certmanager.chart" . }} heritage: {{ .Release.Service }} - release: {{ .Release.Name }} + release: {{ .Release.Name }} {{- if .Values.podLabels }} {{ toYaml .Values.podLabels | indent 8 }} {{- end }} diff --git a/manager/manifests/istio/charts/galley/templates/configmap.yaml b/manager/manifests/istio/charts/galley/templates/configmap.yaml index b138f2ef86..1b71968d64 100644 --- a/manager/manifests/istio/charts/galley/templates/configmap.yaml +++ b/manager/manifests/istio/charts/galley/templates/configmap.yaml @@ -11,4 +11,4 @@ metadata: istio: galley data: validatingwebhookconfiguration.yaml: |- - {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} \ No newline at end of file + {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} diff --git a/manager/manifests/istio/charts/galley/templates/deployment.yaml b/manager/manifests/istio/charts/galley/templates/deployment.yaml index e565c23fea..e6ae59caf1 100644 --- a/manager/manifests/istio/charts/galley/templates/deployment.yaml +++ b/manager/manifests/istio/charts/galley/templates/deployment.yaml @@ -24,7 +24,7 @@ spec: app: {{ template "galley.name" . }} chart: {{ template "galley.chart" . }} heritage: {{ .Release.Service }} - release: {{ .Release.Name }} + release: {{ .Release.Name }} istio: galley annotations: sidecar.istio.io/inject: "false" diff --git a/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml b/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml index 8d3dee930e..766cfa684e 100644 --- a/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml +++ b/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml @@ -30,8 +30,8 @@ spec: privateKey: /etc/istio/ingress-certs/tls.key hosts: - "*" -{{ end }} ---- +{{ end }} +--- {{ end }} {{- if .Values.global.meshExpansion.enabled }} diff --git a/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml b/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml index d4f6938c10..cb6d6890d4 100644 --- a/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml +++ b/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml @@ -21,4 +21,3 @@ metadata: {{- end }} {{- end }} {{- end }} - diff --git a/manager/manifests/istio/charts/gateways/values.yaml b/manager/manifests/istio/charts/gateways/values.yaml index 1289afc92f..1525cc34cc 100644 --- a/manager/manifests/istio/charts/gateways/values.yaml +++ b/manager/manifests/istio/charts/gateways/values.yaml @@ -208,7 +208,7 @@ istio-egressgateway: ISTIO_META_ROUTER_MODE: "sni-dnat" nodeSelector: {} tolerations: [] - + # Specify the pod anti-affinity that allows you to constrain which nodes # your pod is eligible to be scheduled based on labels on pods that are # already running on the node rather than based on labels on nodes. diff --git a/manager/manifests/istio/charts/grafana/templates/service.yaml b/manager/manifests/istio/charts/grafana/templates/service.yaml index 1dfd82c336..b206679c3e 100644 --- a/manager/manifests/istio/charts/grafana/templates/service.yaml +++ b/manager/manifests/istio/charts/grafana/templates/service.yaml @@ -29,4 +29,4 @@ spec: {{range $rangeList := .Values.service.loadBalancerSourceRanges}} - {{ $rangeList }} {{end}} - {{end}} \ No newline at end of file + {{end}} diff --git a/manager/manifests/istio/charts/mixer/templates/config.yaml b/manager/manifests/istio/charts/mixer/templates/config.yaml index cc0f046da9..eb6d3a3ca4 100644 --- a/manager/manifests/istio/charts/mixer/templates/config.yaml +++ b/manager/manifests/istio/charts/mixer/templates/config.yaml @@ -429,7 +429,7 @@ spec: request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' @@ -466,7 +466,7 @@ spec: request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' @@ -503,7 +503,7 @@ spec: request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' diff --git a/manager/manifests/istio/charts/mixer/templates/service.yaml b/manager/manifests/istio/charts/mixer/templates/service.yaml index 79cc4a5820..6da499bed5 100644 --- a/manager/manifests/istio/charts/mixer/templates/service.yaml +++ b/manager/manifests/istio/charts/mixer/templates/service.yaml @@ -36,4 +36,3 @@ spec: {{- end }} {{- end }} {{- end }} - diff --git a/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml b/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml index 9127b05e33..8e4ab6d325 100644 --- a/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml +++ b/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml @@ -10,4 +10,4 @@ metadata: rules: - apiGroups: [""] resources: ["configmaps"] - verbs: ["get"] \ No newline at end of file + verbs: ["get"] diff --git a/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml index 963757e72e..591e482125 100644 --- a/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml +++ b/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml @@ -14,4 +14,4 @@ roleRef: subjects: - kind: ServiceAccount name: istio-nodeagent-service-account - namespace: {{ .Release.Namespace }} \ No newline at end of file + namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml b/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml index 3c30e7044c..c6fcb85239 100644 --- a/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml +++ b/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml @@ -63,4 +63,4 @@ spec: {{ toYaml .Values.global.defaultTolerations | indent 6 }} {{- end }} updateStrategy: - type: RollingUpdate \ No newline at end of file + type: RollingUpdate diff --git a/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml b/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml index b52f852d89..86853d7e0a 100644 --- a/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml +++ b/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml @@ -13,4 +13,4 @@ metadata: app: {{ template "nodeagent.name" . }} chart: {{ template "nodeagent.chart" . }} heritage: {{ .Release.Service }} - release: {{ .Release.Name }} \ No newline at end of file + release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/nodeagent/values.yaml b/manager/manifests/istio/charts/nodeagent/values.yaml index 9485731aa0..812dd84cab 100644 --- a/manager/manifests/istio/charts/nodeagent/values.yaml +++ b/manager/manifests/istio/charts/nodeagent/values.yaml @@ -7,7 +7,7 @@ env: # name of authentication provider. CA_PROVIDER: "" # CA endpoint. - CA_ADDR: "" + CA_ADDR: "" # names of authentication provider's plugins. Plugins: "" nodeSelector: {} diff --git a/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml b/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml index 4f3d595706..50dfc0775f 100644 --- a/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml +++ b/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml @@ -88,4 +88,3 @@ spec: --- {{- end }} {{- end }} - diff --git a/manager/manifests/istio/charts/prometheus/templates/configmap.yaml b/manager/manifests/istio/charts/prometheus/templates/configmap.yaml index 1b26fa5a15..040269d3a2 100644 --- a/manager/manifests/istio/charts/prometheus/templates/configmap.yaml +++ b/manager/manifests/istio/charts/prometheus/templates/configmap.yaml @@ -278,4 +278,4 @@ data: target_label: namespace - source_labels: [__meta_kubernetes_pod_name] action: replace - target_label: pod_name \ No newline at end of file + target_label: pod_name diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml index a30dd38e5c..82963f1d97 100644 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -36,4 +36,3 @@ webhooks: matchLabels: istio-injection: enabled {{- end }} - diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml index 51fb3fc3ee..870b92508c 100644 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml @@ -15,4 +15,4 @@ spec: app: {{ template "sidecar-injector.name" . }} release: {{ .Release.Name }} istio: sidecar-injector - {{- end }} \ No newline at end of file + {{- end }} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml index eba94679fe..b2c2f934d3 100644 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml +++ b/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml @@ -39,4 +39,4 @@ rewriteAppHTTPProbe: false # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions neverInjectSelector: [] -alwaysInjectSelector: [] \ No newline at end of file +alwaysInjectSelector: [] diff --git a/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml b/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml index 23979baf8d..e8c2bc9d89 100644 --- a/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml +++ b/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml @@ -87,4 +87,3 @@ items: selector: app: jaeger {{ end }} - diff --git a/manager/manifests/istio/charts/tracing/values.yaml b/manager/manifests/istio/charts/tracing/values.yaml index d05b650fcc..19102a514e 100644 --- a/manager/manifests/istio/charts/tracing/values.yaml +++ b/manager/manifests/istio/charts/tracing/values.yaml @@ -74,4 +74,3 @@ ingress: # - secretName: tracing-tls # hosts: # - tracing.local - diff --git a/manager/manifests/istio/files/injection-template.yaml b/manager/manifests/istio/files/injection-template.yaml index 2f0f3f069c..99d56acac2 100644 --- a/manager/manifests/istio/files/injection-template.yaml +++ b/manager/manifests/istio/files/injection-template.yaml @@ -345,4 +345,4 @@ dnsConfig: {{- range .Values.global.podDNSSearchNamespaces }} - {{ render . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/manager/manifests/istio/templates/NOTES.txt b/manager/manifests/istio/templates/NOTES.txt index d17982c669..be17dcd0be 100644 --- a/manager/manifests/istio/templates/NOTES.txt +++ b/manager/manifests/istio/templates/NOTES.txt @@ -26,4 +26,4 @@ $ kubectl apply -f <(istioctl kube-inject -f .yaml) {{- end }} For more information on running Istio, visit: -https://istio.io/ \ No newline at end of file +https://istio.io/ diff --git a/manager/manifests/istio/templates/configmap.yaml b/manager/manifests/istio/templates/configmap.yaml index 02591ec805..9f4801dbb3 100644 --- a/manager/manifests/istio/templates/configmap.yaml +++ b/manager/manifests/istio/templates/configmap.yaml @@ -36,7 +36,7 @@ data: accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}' {{- if .Values.global.istioRemote }} - + {{- if .Values.global.remotePolicyAddress }} {{- if .Values.global.createRemoteSvcEndpoints }} mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 @@ -51,7 +51,7 @@ data: mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 {{- end }} {{- end }} - + {{- else }} {{- if .Values.mixer.policy.enabled }} @@ -68,7 +68,7 @@ data: mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 {{- end }} {{- end }} - + {{- end }} {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} @@ -84,24 +84,24 @@ data: # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS connectTimeout: 10s - + # DNS refresh rate for Envoy clusters of type STRICT_DNS dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }} # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get - # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. sdsUdsPath: {{ .Values.global.sds.udsPath }} - # This flag is used by secret discovery service(SDS). - # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount - # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which + # This flag is used by secret discovery service(SDS). + # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which # will be used to generate key/cert eventually. This isn't supported for non-k8s case. enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }} - # This flag is used by secret discovery service(SDS). - # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' - # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) - # and pass to sds server, which will be used to request key/cert eventually. + # This flag is used by secret discovery service(SDS). + # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + # and pass to sds server, which will be used to request key/cert eventually. # this flag is ignored if enableSdsTokenMount is set. # This isn't supported for non-k8s case. sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }} @@ -114,7 +114,7 @@ data: # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no # services or ServiceEntries for the destination port # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well - # as those defined through ServiceEntries + # as those defined through ServiceEntries outboundTrafficPolicy: mode: {{ .Values.global.outboundTrafficPolicy.mode }} @@ -125,7 +125,7 @@ data: # configuration. {{- if .Values.global.configRootNamespace }} rootNamespace: {{ .Values.global.configRootNamespace }} - {{- else }} + {{- else }} rootNamespace: {{ .Release.Namespace }} {{- end }} @@ -261,7 +261,7 @@ data: discoveryAddress: {{ $pilotAddress }}:15010 {{- end }} {{- end }} - + # Configuration file for the mesh networks to be used by the Split Horizon EDS. meshNetworks: |- {{- if .Values.global.meshNetworks }} diff --git a/pkg/lib/configreader/reader.go b/pkg/lib/configreader/reader.go index 3b40cfdc34..e4b17411ff 100644 --- a/pkg/lib/configreader/reader.go +++ b/pkg/lib/configreader/reader.go @@ -527,7 +527,7 @@ func ReadInterfaceMapValue(name string, interMap map[string]interface{}) (interf // Prompt // -var ui *input.UI = &input.UI{ +var ui = &input.UI{ Writer: os.Stdout, Reader: os.Stdin, } diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index 930679642d..bcedeaa436 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -1,5 +1,3 @@ -package k8s - /* Copyright 2019 Cortex Labs, Inc. @@ -16,6 +14,8 @@ See the License for the specific language governing permissions and limitations under the License. */ +package k8s + import ( "github.com/cortexlabs/cortex/pkg/lib/errors" kerrors "k8s.io/apimachinery/pkg/api/errors" @@ -24,22 +24,24 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" ) -var virtualServiceTypeMeta = kmeta.TypeMeta{ - APIVersion: "v1alpha3", - Kind: "VirtualService", -} +var ( + virtualServiceTypeMeta = kmeta.TypeMeta{ + APIVersion: "v1alpha3", + Kind: "VirtualService", + } -var virtualServiceGVR = schema.GroupVersionResource{ - Group: "networking.istio.io", - Version: "v1alpha3", - Resource: "virtualservices", -} + virtualServiceGVR = schema.GroupVersionResource{ + Group: "networking.istio.io", + Version: "v1alpha3", + Resource: "virtualservices", + } -var virtualServiceGVK = schema.GroupVersionKind{ - Group: "networking.istio.io", - Version: "v1alpha3", - Kind: "VirtualService", -} + virtualServiceGVK = schema.GroupVersionKind{ + Group: "networking.istio.io", + Version: "v1alpha3", + Kind: "VirtualService", + } +) type VirtualServiceSpec struct { Name string @@ -64,16 +66,16 @@ func VirtualService(spec *VirtualServiceSpec) *unstructured.Unstructured { "hosts": []string{"*"}, "gateways": spec.Gateways, "http": []map[string]interface{}{ - map[string]interface{}{ + { "match": []map[string]interface{}{ - map[string]interface{}{ + { "uri": map[string]interface{}{ "prefix": spec.Path, }, }, }, "route": []map[string]interface{}{ - map[string]interface{}{ + { "destination": map[string]interface{}{ "host": spec.ServiceName, "port": map[string]interface{}{ diff --git a/pkg/workloads/cortex/tf_api/api.py b/pkg/workloads/cortex/tf_api/api.py index b5333381d8..b8cff12e11 100644 --- a/pkg/workloads/cortex/tf_api/api.py +++ b/pkg/workloads/cortex/tf_api/api.py @@ -310,6 +310,7 @@ def prediction_failed(sample, reason=None): def health(): return jsonify({"ok": True}) + @app.route("//", methods=["POST"]) def predict(deployment_name, api_name): @@ -509,6 +510,7 @@ def start(args): logger.info("Serving model: {}".format(util.remove_resource_ref(api["model"]))) serve(app, listen="*:{}".format(args.port)) + def main(): parser = argparse.ArgumentParser() na = parser.add_argument_group("required named arguments") From d3a6e04fbdcff9d7758f8efa8aa6407fead6a05d Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 11:29:12 -0400 Subject: [PATCH 23/68] update lint --- build/lint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/lint.sh b/build/lint.sh index 7477dcb9a1..a060d44390 100755 --- a/build/lint.sh +++ b/build/lint.sh @@ -64,6 +64,8 @@ output=$(cd "$ROOT" && find . -type f \ ! -path "./bin/*" \ ! -path "./.circleci/*" \ ! -path "./.git/*" \ +! -path "./manager/manifests/istio/*" \ +! -path "./manager/manifests/istio-init/*" \ ! -name LICENSE \ ! -name requirements.txt \ ! -name "go.*" \ From 6b12db73b9c9fb3aa24348e263cdc7d6587db8e0 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 14:34:55 -0400 Subject: [PATCH 24/68] remove vendoring of istio, download at build time --- images/manager/Dockerfile | 8 +- manager/install_cortex.sh | 3 +- manager/manifests/istio-init/Chart.yaml | 13 - .../manifests/istio-init/files/crd-10.yaml | 573 ---- .../manifests/istio-init/files/crd-11.yaml | 23 - .../manifests/istio-init/files/crd-12.yaml | 21 - .../istio-init/files/crd-certmanager-10.yaml | 82 - .../istio-init/files/crd-certmanager-11.yaml | 74 - .../istio-init/templates/clusterrole.yaml | 11 - .../templates/clusterrolebinding.yaml | 15 - .../templates/configmap-crd-10.yaml | 8 - .../templates/configmap-crd-11.yaml | 8 - .../templates/configmap-crd-12.yaml | 8 - .../configmap-crd-certmanager-10.yaml | 10 - .../configmap-crd-certmanager-11.yaml | 10 - .../istio-init/templates/job-crd-10.yaml | 26 - .../istio-init/templates/job-crd-11.yaml | 26 - .../istio-init/templates/job-crd-12.yaml | 26 - .../templates/job-crd-certmanager-10.yaml | 28 - .../templates/job-crd-certmanager-11.yaml | 28 - .../istio-init/templates/serviceaccount.yaml | 8 - manager/manifests/istio-init/values.yaml | 16 - .../{istio/values.yaml => istio.yaml} | 27 +- manager/manifests/istio/Chart.yaml | 17 - .../istio/charts/certmanager/Chart.yaml | 6 - .../charts/certmanager/templates/NOTES.txt | 6 - .../charts/certmanager/templates/_helpers.tpl | 32 - .../certmanager/templates/deployment.yaml | 69 - .../charts/certmanager/templates/issuer.yaml | 37 - .../templates/poddisruptionbudget.yaml | 24 - .../charts/certmanager/templates/rbac.yaml | 37 - .../certmanager/templates/serviceaccount.yaml | 16 - .../istio/charts/certmanager/values.yaml | 33 - .../manifests/istio/charts/galley/Chart.yaml | 13 - .../charts/galley/templates/_helpers.tpl | 32 - .../charts/galley/templates/clusterrole.yaml | 39 - .../galley/templates/clusterrolebinding.yaml | 17 - .../charts/galley/templates/configmap.yaml | 14 - .../charts/galley/templates/deployment.yaml | 124 - .../galley/templates/poddisruptionbudget.yaml | 22 - .../charts/galley/templates/service.yaml | 21 - .../galley/templates/serviceaccount.yaml | 16 - .../validatingwebhookconfiguration.yaml.tpl | 120 - .../manifests/istio/charts/galley/values.yaml | 29 - .../istio/charts/gateways/Chart.yaml | 15 - .../charts/gateways/templates/_affinity.tpl | 93 - .../charts/gateways/templates/_helpers.tpl | 32 - .../charts/gateways/templates/autoscale.yaml | 31 - .../charts/gateways/templates/deployment.yaml | 318 -- .../templates/poddisruptionbudget.yaml | 31 - .../gateways/templates/preconfigured.yaml | 239 -- .../istio/charts/gateways/templates/role.yaml | 18 - .../gateways/templates/rolebindings.yaml | 21 - .../charts/gateways/templates/service.yaml | 59 - .../gateways/templates/serviceaccount.yaml | 23 - .../istio/charts/gateways/values.yaml | 281 -- .../manifests/istio/charts/grafana/Chart.yaml | 6 - .../grafana/dashboards/galley-dashboard.json | 1819 ------------ .../dashboards/istio-mesh-dashboard.json | 953 ------ .../istio-performance-dashboard.json | 1822 ------------ .../dashboards/istio-service-dashboard.json | 2601 ----------------- .../dashboards/istio-workload-dashboard.json | 2303 --------------- .../grafana/dashboards/mixer-dashboard.json | 1808 ------------ .../grafana/dashboards/pilot-dashboard.json | 1788 ----------- .../charts/grafana/templates/_helpers.tpl | 32 - .../templates/configmap-custom-resources.yaml | 16 - .../templates/configmap-dashboards.yaml | 18 - .../charts/grafana/templates/configmap.yaml | 25 - .../create-custom-resources-job.yaml | 101 - .../charts/grafana/templates/deployment.yaml | 127 - .../grafana/templates/grafana-ports-mtls.yaml | 17 - .../charts/grafana/templates/ingress.yaml | 40 - .../istio/charts/grafana/templates/pvc.yaml | 19 - .../charts/grafana/templates/service.yaml | 32 - .../tests/test-grafana-connection.yaml | 37 - .../istio/charts/grafana/values.yaml | 87 - .../istio/charts/istiocoredns/Chart.yaml | 6 - .../istiocoredns/templates/_helpers.tpl | 32 - .../istiocoredns/templates/clusterrole.yaml | 13 - .../templates/clusterrolebinding.yaml | 17 - .../istiocoredns/templates/configmap.yaml | 24 - .../istiocoredns/templates/deployment.yaml | 96 - .../istiocoredns/templates/service.yaml | 20 - .../templates/serviceaccount.yaml | 16 - .../istio/charts/istiocoredns/values.yaml | 33 - .../manifests/istio/charts/kiali/Chart.yaml | 6 - .../istio/charts/kiali/templates/_helpers.tpl | 32 - .../charts/kiali/templates/clusterrole.yaml | 265 -- .../kiali/templates/clusterrolebinding.yaml | 17 - .../charts/kiali/templates/configmap.yaml | 27 - .../charts/kiali/templates/demosecret.yaml | 16 - .../charts/kiali/templates/deployment.yaml | 77 - .../istio/charts/kiali/templates/ingress.yaml | 40 - .../istio/charts/kiali/templates/service.yaml | 17 - .../kiali/templates/serviceaccount.yaml | 16 - .../tests/test-kiali-connection.yaml | 37 - .../manifests/istio/charts/kiali/values.yaml | 55 - .../manifests/istio/charts/mixer/Chart.yaml | 13 - .../istio/charts/mixer/templates/_helpers.tpl | 32 - .../charts/mixer/templates/autoscale.yaml | 29 - .../charts/mixer/templates/clusterrole.yaml | 24 - .../mixer/templates/clusterrolebinding.yaml | 19 - .../istio/charts/mixer/templates/config.yaml | 1086 ------- .../charts/mixer/templates/deployment.yaml | 428 --- .../mixer/templates/poddisruptionbudget.yaml | 32 - .../istio/charts/mixer/templates/service.yaml | 38 - .../mixer/templates/serviceaccount.yaml | 18 - .../manifests/istio/charts/mixer/values.yaml | 88 - .../istio/charts/nodeagent/Chart.yaml | 13 - .../charts/nodeagent/templates/_helpers.tpl | 32 - .../nodeagent/templates/clusterrole.yaml | 13 - .../templates/clusterrolebinding.yaml | 17 - .../charts/nodeagent/templates/daemonset.yaml | 66 - .../nodeagent/templates/serviceaccount.yaml | 16 - .../istio/charts/nodeagent/values.yaml | 35 - .../manifests/istio/charts/pilot/Chart.yaml | 13 - .../istio/charts/pilot/templates/_helpers.tpl | 32 - .../charts/pilot/templates/autoscale.yaml | 25 - .../charts/pilot/templates/clusterrole.yaml | 34 - .../pilot/templates/clusterrolebinding.yaml | 17 - .../charts/pilot/templates/deployment.yaml | 225 -- .../charts/pilot/templates/meshexpansion.yaml | 90 - .../pilot/templates/poddisruptionbudget.yaml | 22 - .../istio/charts/pilot/templates/service.yaml | 23 - .../pilot/templates/serviceaccount.yaml | 16 - .../manifests/istio/charts/pilot/values.yaml | 50 - .../istio/charts/prometheus/Chart.yaml | 6 - .../charts/prometheus/templates/_helpers.tpl | 32 - .../prometheus/templates/clusterrole.yaml | 24 - .../templates/clusterrolebindings.yaml | 17 - .../prometheus/templates/configmap.yaml | 281 -- .../prometheus/templates/deployment.yaml | 80 - .../charts/prometheus/templates/ingress.yaml | 40 - .../charts/prometheus/templates/service.yaml | 45 - .../prometheus/templates/serviceaccount.yaml | 16 - .../tests/test-prometheus-connection.yaml | 36 - .../istio/charts/prometheus/values.yaml | 59 - .../istio/charts/security/Chart.yaml | 13 - .../charts/security/templates/_helpers.tpl | 32 - .../security/templates/cleanup-secrets.yaml | 125 - .../security/templates/clusterrole.yaml | 22 - .../templates/clusterrolebinding.yaml | 17 - .../charts/security/templates/configmap.yaml | 20 - .../create-custom-resources-job.yaml | 101 - .../charts/security/templates/deployment.yaml | 108 - .../security/templates/enable-mesh-mtls.yaml | 63 - .../templates/enable-mesh-permissive.yaml | 16 - .../security/templates/meshexpansion.yaml | 56 - .../charts/security/templates/service.yaml | 23 - .../security/templates/serviceaccount.yaml | 16 - .../tests/test-citadel-connection.yaml | 36 - .../istio/charts/security/values.yaml | 36 - .../charts/sidecarInjectorWebhook/Chart.yaml | 13 - .../templates/_helpers.tpl | 32 - .../templates/clusterrole.yaml | 17 - .../templates/clusterrolebinding.yaml | 18 - .../templates/deployment.yaml | 110 - .../templates/mutatingwebhook.yaml | 38 - .../templates/poddisruptionbudget.yaml | 18 - .../templates/service.yaml | 16 - .../templates/serviceaccount.yaml | 17 - .../charts/sidecarInjectorWebhook/values.yaml | 42 - .../manifests/istio/charts/tracing/Chart.yaml | 6 - .../charts/tracing/templates/_helpers.tpl | 32 - .../tracing/templates/deployment-jaeger.yaml | 92 - .../tracing/templates/deployment-zipkin.yaml | 82 - .../charts/tracing/templates/ingress.yaml | 41 - .../tracing/templates/service-jaeger.yaml | 89 - .../charts/tracing/templates/service.yaml | 56 - .../tests/test-tracing-connection.yaml | 40 - .../istio/charts/tracing/values.yaml | 76 - .../istio/files/injection-template.yaml | 348 --- manager/manifests/istio/requirements.yaml | 40 - manager/manifests/istio/templates/NOTES.txt | 29 - .../manifests/istio/templates/_affinity.tpl | 93 - .../manifests/istio/templates/_helpers.tpl | 46 - .../istio/templates/_podDisruptionBudget.tpl | 3 - .../istio/templates/clusterrole.yaml | 11 - .../istio/templates/clusterrolebinding.yaml | 14 - .../manifests/istio/templates/configmap.yaml | 273 -- .../manifests/istio/templates/endpoints.yaml | 63 - .../templates/install-custom-resources.sh.tpl | 32 - .../manifests/istio/templates/service.yaml | 60 - .../istio/templates/serviceaccount.yaml | 5 - .../templates/sidecar-injector-configmap.yaml | 25 - manager/uninstall_cortex.sh | 2 + 186 files changed, 24 insertions(+), 23171 deletions(-) delete mode 100644 manager/manifests/istio-init/Chart.yaml delete mode 100644 manager/manifests/istio-init/files/crd-10.yaml delete mode 100644 manager/manifests/istio-init/files/crd-11.yaml delete mode 100644 manager/manifests/istio-init/files/crd-12.yaml delete mode 100644 manager/manifests/istio-init/files/crd-certmanager-10.yaml delete mode 100644 manager/manifests/istio-init/files/crd-certmanager-11.yaml delete mode 100644 manager/manifests/istio-init/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio-init/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio-init/templates/configmap-crd-10.yaml delete mode 100644 manager/manifests/istio-init/templates/configmap-crd-11.yaml delete mode 100644 manager/manifests/istio-init/templates/configmap-crd-12.yaml delete mode 100644 manager/manifests/istio-init/templates/configmap-crd-certmanager-10.yaml delete mode 100644 manager/manifests/istio-init/templates/configmap-crd-certmanager-11.yaml delete mode 100644 manager/manifests/istio-init/templates/job-crd-10.yaml delete mode 100644 manager/manifests/istio-init/templates/job-crd-11.yaml delete mode 100644 manager/manifests/istio-init/templates/job-crd-12.yaml delete mode 100644 manager/manifests/istio-init/templates/job-crd-certmanager-10.yaml delete mode 100644 manager/manifests/istio-init/templates/job-crd-certmanager-11.yaml delete mode 100644 manager/manifests/istio-init/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio-init/values.yaml rename manager/manifests/{istio/values.yaml => istio.yaml} (97%) delete mode 100644 manager/manifests/istio/Chart.yaml delete mode 100644 manager/manifests/istio/charts/certmanager/Chart.yaml delete mode 100644 manager/manifests/istio/charts/certmanager/templates/NOTES.txt delete mode 100644 manager/manifests/istio/charts/certmanager/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/certmanager/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/certmanager/templates/issuer.yaml delete mode 100644 manager/manifests/istio/charts/certmanager/templates/poddisruptionbudget.yaml delete mode 100644 manager/manifests/istio/charts/certmanager/templates/rbac.yaml delete mode 100644 manager/manifests/istio/charts/certmanager/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/certmanager/values.yaml delete mode 100644 manager/manifests/istio/charts/galley/Chart.yaml delete mode 100644 manager/manifests/istio/charts/galley/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/galley/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/galley/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/charts/galley/templates/configmap.yaml delete mode 100644 manager/manifests/istio/charts/galley/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/galley/templates/poddisruptionbudget.yaml delete mode 100644 manager/manifests/istio/charts/galley/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/galley/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl delete mode 100644 manager/manifests/istio/charts/galley/values.yaml delete mode 100644 manager/manifests/istio/charts/gateways/Chart.yaml delete mode 100644 manager/manifests/istio/charts/gateways/templates/_affinity.tpl delete mode 100644 manager/manifests/istio/charts/gateways/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/gateways/templates/autoscale.yaml delete mode 100644 manager/manifests/istio/charts/gateways/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/gateways/templates/poddisruptionbudget.yaml delete mode 100644 manager/manifests/istio/charts/gateways/templates/preconfigured.yaml delete mode 100644 manager/manifests/istio/charts/gateways/templates/role.yaml delete mode 100644 manager/manifests/istio/charts/gateways/templates/rolebindings.yaml delete mode 100644 manager/manifests/istio/charts/gateways/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/gateways/values.yaml delete mode 100644 manager/manifests/istio/charts/grafana/Chart.yaml delete mode 100644 manager/manifests/istio/charts/grafana/dashboards/galley-dashboard.json delete mode 100644 manager/manifests/istio/charts/grafana/dashboards/istio-mesh-dashboard.json delete mode 100644 manager/manifests/istio/charts/grafana/dashboards/istio-performance-dashboard.json delete mode 100644 manager/manifests/istio/charts/grafana/dashboards/istio-service-dashboard.json delete mode 100644 manager/manifests/istio/charts/grafana/dashboards/istio-workload-dashboard.json delete mode 100644 manager/manifests/istio/charts/grafana/dashboards/mixer-dashboard.json delete mode 100644 manager/manifests/istio/charts/grafana/dashboards/pilot-dashboard.json delete mode 100644 manager/manifests/istio/charts/grafana/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/grafana/templates/configmap-custom-resources.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/configmap-dashboards.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/configmap.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/create-custom-resources-job.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/grafana-ports-mtls.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/ingress.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/pvc.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/grafana/templates/tests/test-grafana-connection.yaml delete mode 100644 manager/manifests/istio/charts/grafana/values.yaml delete mode 100644 manager/manifests/istio/charts/istiocoredns/Chart.yaml delete mode 100644 manager/manifests/istio/charts/istiocoredns/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/istiocoredns/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/istiocoredns/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/charts/istiocoredns/templates/configmap.yaml delete mode 100644 manager/manifests/istio/charts/istiocoredns/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/istiocoredns/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/istiocoredns/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/istiocoredns/values.yaml delete mode 100644 manager/manifests/istio/charts/kiali/Chart.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/kiali/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/configmap.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/demosecret.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/ingress.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/kiali/templates/tests/test-kiali-connection.yaml delete mode 100644 manager/manifests/istio/charts/kiali/values.yaml delete mode 100644 manager/manifests/istio/charts/mixer/Chart.yaml delete mode 100644 manager/manifests/istio/charts/mixer/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/mixer/templates/autoscale.yaml delete mode 100644 manager/manifests/istio/charts/mixer/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/mixer/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/charts/mixer/templates/config.yaml delete mode 100644 manager/manifests/istio/charts/mixer/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/mixer/templates/poddisruptionbudget.yaml delete mode 100644 manager/manifests/istio/charts/mixer/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/mixer/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/mixer/values.yaml delete mode 100644 manager/manifests/istio/charts/nodeagent/Chart.yaml delete mode 100644 manager/manifests/istio/charts/nodeagent/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml delete mode 100644 manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/nodeagent/values.yaml delete mode 100644 manager/manifests/istio/charts/pilot/Chart.yaml delete mode 100644 manager/manifests/istio/charts/pilot/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/pilot/templates/autoscale.yaml delete mode 100644 manager/manifests/istio/charts/pilot/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/pilot/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/charts/pilot/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml delete mode 100644 manager/manifests/istio/charts/pilot/templates/poddisruptionbudget.yaml delete mode 100644 manager/manifests/istio/charts/pilot/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/pilot/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/pilot/values.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/Chart.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/prometheus/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/templates/clusterrolebindings.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/templates/configmap.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/templates/ingress.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml delete mode 100644 manager/manifests/istio/charts/prometheus/values.yaml delete mode 100644 manager/manifests/istio/charts/security/Chart.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/security/templates/cleanup-secrets.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/configmap.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/create-custom-resources-job.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/enable-mesh-mtls.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/enable-mesh-permissive.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/meshexpansion.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/security/templates/tests/test-citadel-connection.yaml delete mode 100644 manager/manifests/istio/charts/security/values.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/Chart.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml delete mode 100644 manager/manifests/istio/charts/tracing/Chart.yaml delete mode 100644 manager/manifests/istio/charts/tracing/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/charts/tracing/templates/deployment-jaeger.yaml delete mode 100644 manager/manifests/istio/charts/tracing/templates/deployment-zipkin.yaml delete mode 100644 manager/manifests/istio/charts/tracing/templates/ingress.yaml delete mode 100644 manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml delete mode 100644 manager/manifests/istio/charts/tracing/templates/service.yaml delete mode 100644 manager/manifests/istio/charts/tracing/templates/tests/test-tracing-connection.yaml delete mode 100644 manager/manifests/istio/charts/tracing/values.yaml delete mode 100644 manager/manifests/istio/files/injection-template.yaml delete mode 100644 manager/manifests/istio/requirements.yaml delete mode 100644 manager/manifests/istio/templates/NOTES.txt delete mode 100644 manager/manifests/istio/templates/_affinity.tpl delete mode 100644 manager/manifests/istio/templates/_helpers.tpl delete mode 100644 manager/manifests/istio/templates/_podDisruptionBudget.tpl delete mode 100644 manager/manifests/istio/templates/clusterrole.yaml delete mode 100644 manager/manifests/istio/templates/clusterrolebinding.yaml delete mode 100644 manager/manifests/istio/templates/configmap.yaml delete mode 100644 manager/manifests/istio/templates/endpoints.yaml delete mode 100644 manager/manifests/istio/templates/install-custom-resources.sh.tpl delete mode 100644 manager/manifests/istio/templates/service.yaml delete mode 100644 manager/manifests/istio/templates/serviceaccount.yaml delete mode 100644 manager/manifests/istio/templates/sidecar-injector-configmap.yaml diff --git a/images/manager/Dockerfile b/images/manager/Dockerfile index db9365b93b..02d85ec441 100644 --- a/images/manager/Dockerfile +++ b/images/manager/Dockerfile @@ -20,16 +20,20 @@ RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.15.0/b chmod +x ./kubectl && \ mv ./kubectl /usr/local/bin/kubectl +COPY manager /root + RUN curl -LO https://get.helm.sh/helm-v2.14.1-linux-amd64.tar.gz && \ tar -zxvf helm-v2.14.1-linux-amd64.tar.gz && \ chmod +x linux-amd64/helm && \ mv linux-amd64/helm /usr/local/bin/helm -COPY manager /root - RUN git clone https://github.com/nicholasjackson/mtls-go-example && \ cd /root/mtls-go-example && \ PW=$(pwgen -Bs1 12) && yes | ./generate.sh cortex.example.com $PW && \ mkdir ../cortex.example.com && mv 1_root 2_intermediate 3_application 4_client ../cortex.example.com +RUN curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.2.2 sh - && \ + mv ./istio-1.2.2/install/kubernetes/helm/istio ./manifests/ && \ + mv ./istio-1.2.2/install/kubernetes/helm/istio-init ./manifests/ + ENTRYPOINT ["/bin/bash"] diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 5c88ca9d9f..d4049b1cc7 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -174,11 +174,12 @@ setup_secrets envsubst < manifests/spark.yaml | kubectl apply -f - >/dev/null envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null + kubectl create namespace istio-system kubectl create -n istio-system secret tls istio-customgateway-certs --key cortex.example.com/3_application/private/cortex.example.com.key.pem --cert cortex.example.com/3_application/certs/cortex.example.com.cert.pem helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - sleep 20 -helm template manifests/istio --name istio --namespace istio-system | kubectl apply -f - +helm template manifests/istio --values manifests/istio.yaml --name istio --namespace istio-system | kubectl apply -f - envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/istio-init/Chart.yaml b/manager/manifests/istio-init/Chart.yaml deleted file mode 100644 index 2b2b3567da..0000000000 --- a/manager/manifests/istio-init/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: istio-init -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2-0" -description: Helm chart to initialize Istio CRDs -keywords: - - istio - - crd -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio-init/files/crd-10.yaml b/manager/manifests/istio-init/files/crd-10.yaml deleted file mode 100644 index 05162d6a95..0000000000 --- a/manager/manifests/istio-init/files/crd-10.yaml +++ /dev/null @@ -1,573 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: virtualservices.networking.istio.io - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: networking.istio.io - names: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - singular: virtualservice - shortNames: - - vs - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: destinationrules.networking.istio.io - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: networking.istio.io - names: - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - singular: destinationrule - shortNames: - - dr - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: serviceentries.networking.istio.io - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: networking.istio.io - names: - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - singular: serviceentry - shortNames: - - se - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: gateways.networking.istio.io - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: networking.istio.io - names: - kind: Gateway - plural: gateways - singular: gateway - shortNames: - - gw - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: envoyfilters.networking.istio.io - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: networking.istio.io - names: - kind: EnvoyFilter - plural: envoyfilters - singular: envoyfilter - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: clusterrbacconfigs.rbac.istio.io - labels: - app: istio-pilot - istio: rbac - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: rbac.istio.io - names: - kind: ClusterRbacConfig - plural: clusterrbacconfigs - singular: clusterrbacconfig - categories: - - istio-io - - rbac-istio-io - scope: Cluster - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: policies.authentication.istio.io - labels: - app: istio-citadel - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: authentication.istio.io - names: - kind: Policy - plural: policies - singular: policy - categories: - - istio-io - - authentication-istio-io - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: meshpolicies.authentication.istio.io - labels: - app: istio-citadel - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: authentication.istio.io - names: - kind: MeshPolicy - listKind: MeshPolicyList - plural: meshpolicies - singular: meshpolicy - categories: - - istio-io - - authentication-istio-io - scope: Cluster - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: httpapispecbindings.config.istio.io - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: HTTPAPISpecBinding - plural: httpapispecbindings - singular: httpapispecbinding - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: httpapispecs.config.istio.io - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: HTTPAPISpec - plural: httpapispecs - singular: httpapispec - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: quotaspecbindings.config.istio.io - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: QuotaSpecBinding - plural: quotaspecbindings - singular: quotaspecbinding - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: quotaspecs.config.istio.io - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: QuotaSpec - plural: quotaspecs - singular: quotaspec - categories: - - istio-io - - apim-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: rules.config.istio.io - labels: - app: mixer - package: istio.io.mixer - istio: core - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: rule - plural: rules - singular: rule - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: attributemanifests.config.istio.io - labels: - app: mixer - package: istio.io.mixer - istio: core - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: attributemanifest - plural: attributemanifests - singular: attributemanifest - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: rbacconfigs.rbac.istio.io - labels: - app: mixer - package: istio.io.mixer - istio: rbac - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: rbac.istio.io - names: - kind: RbacConfig - plural: rbacconfigs - singular: rbacconfig - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: serviceroles.rbac.istio.io - labels: - app: mixer - package: istio.io.mixer - istio: rbac - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: rbac.istio.io - names: - kind: ServiceRole - plural: serviceroles - singular: servicerole - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: servicerolebindings.rbac.istio.io - labels: - app: mixer - package: istio.io.mixer - istio: rbac - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: rbac.istio.io - names: - kind: ServiceRoleBinding - plural: servicerolebindings - singular: servicerolebinding - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 - additionalPrinterColumns: - - JSONPath: .spec.roleRef.name - description: The name of the ServiceRole object being referenced - name: Reference - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: adapters.config.istio.io - labels: - app: mixer - package: adapter - istio: mixer-adapter - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: instances.config.istio.io - labels: - app: mixer - package: instance - istio: mixer-instance - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: instance - plural: instances - singular: instance - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: templates.config.istio.io - labels: - app: mixer - package: template - istio: mixer-template - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: handlers.config.istio.io - labels: - app: mixer - package: handler - istio: mixer-handler - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: handler - plural: handlers - singular: handler - categories: - - istio-io - - policy-istio-io - scope: Namespaced - version: v1alpha2 ---- diff --git a/manager/manifests/istio-init/files/crd-11.yaml b/manager/manifests/istio-init/files/crd-11.yaml deleted file mode 100644 index f3711ec077..0000000000 --- a/manager/manifests/istio-init/files/crd-11.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: sidecars.networking.istio.io - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: networking.istio.io - names: - kind: Sidecar - plural: sidecars - singular: sidecar - categories: - - istio-io - - networking-istio-io - scope: Namespaced - version: v1alpha3 ---- diff --git a/manager/manifests/istio-init/files/crd-12.yaml b/manager/manifests/istio-init/files/crd-12.yaml deleted file mode 100644 index 36e0c8a26a..0000000000 --- a/manager/manifests/istio-init/files/crd-12.yaml +++ /dev/null @@ -1,21 +0,0 @@ -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: authorizationpolicies.rbac.istio.io - labels: - app: istio-pilot - istio: rbac - heritage: Tiller - release: istio -spec: - group: rbac.istio.io - names: - kind: AuthorizationPolicy - plural: authorizationpolicies - singular: authorizationpolicy - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - version: v1alpha1 ---- diff --git a/manager/manifests/istio-init/files/crd-certmanager-10.yaml b/manager/manifests/istio-init/files/crd-certmanager-10.yaml deleted file mode 100644 index 85a2093bfc..0000000000 --- a/manager/manifests/istio-init/files/crd-certmanager-10.yaml +++ /dev/null @@ -1,82 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: clusterissuers.certmanager.k8s.io - labels: - app: certmanager - chart: certmanager - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: certmanager.k8s.io - version: v1alpha1 - names: - kind: ClusterIssuer - plural: clusterissuers - scope: Cluster ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: issuers.certmanager.k8s.io - labels: - app: certmanager - chart: certmanager - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: certmanager.k8s.io - version: v1alpha1 - names: - kind: Issuer - plural: issuers - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: certificates.certmanager.k8s.io - labels: - app: certmanager - chart: certmanager - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - JSONPath: .spec.secretName - name: Secret - type: string - - JSONPath: .spec.issuerRef.name - name: Issuer - type: string - priority: 1 - - JSONPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - priority: 1 - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: certmanager.k8s.io - version: v1alpha1 - scope: Namespaced - names: - kind: Certificate - plural: certificates - shortNames: - - cert - - certs ---- diff --git a/manager/manifests/istio-init/files/crd-certmanager-11.yaml b/manager/manifests/istio-init/files/crd-certmanager-11.yaml deleted file mode 100644 index 9ae788f746..0000000000 --- a/manager/manifests/istio-init/files/crd-certmanager-11.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: orders.certmanager.k8s.io - labels: - app: certmanager - chart: certmanager - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - additionalPrinterColumns: - - JSONPath: .status.state - name: State - type: string - - JSONPath: .spec.issuerRef.name - name: Issuer - type: string - priority: 1 - - JSONPath: .status.reason - name: Reason - type: string - priority: 1 - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: certmanager.k8s.io - version: v1alpha1 - names: - kind: Order - plural: orders - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: challenges.certmanager.k8s.io - labels: - app: certmanager - chart: certmanager - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - additionalPrinterColumns: - - JSONPath: .status.state - name: State - type: string - - JSONPath: .spec.dnsName - name: Domain - type: string - - JSONPath: .status.reason - name: Reason - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: certmanager.k8s.io - version: v1alpha1 - names: - kind: Challenge - plural: challenges - scope: Namespaced ---- diff --git a/manager/manifests/istio-init/templates/clusterrole.yaml b/manager/manifests/istio-init/templates/clusterrole.yaml deleted file mode 100644 index 0b7c50fbc0..0000000000 --- a/manager/manifests/istio-init/templates/clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-init-{{ .Release.Namespace }} - labels: - app: istio-init - istio: init -rules: -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create", "get", "list", "watch", "patch"] diff --git a/manager/manifests/istio-init/templates/clusterrolebinding.yaml b/manager/manifests/istio-init/templates/clusterrolebinding.yaml deleted file mode 100644 index 481674c0e5..0000000000 --- a/manager/manifests/istio-init/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-init-admin-role-binding-{{ .Release.Namespace }} - labels: - app: istio-init - istio: init -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-init-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-init-service-account - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio-init/templates/configmap-crd-10.yaml b/manager/manifests/istio-init/templates/configmap-crd-10.yaml deleted file mode 100644 index 69e37fa14c..0000000000 --- a/manager/manifests/istio-init/templates/configmap-crd-10.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: {{ .Release.Namespace }} - name: istio-crd-10 -data: - crd-10.yaml: |- -{{.Files.Get "files/crd-10.yaml" | printf "%s" | indent 4}} diff --git a/manager/manifests/istio-init/templates/configmap-crd-11.yaml b/manager/manifests/istio-init/templates/configmap-crd-11.yaml deleted file mode 100644 index 952640d60b..0000000000 --- a/manager/manifests/istio-init/templates/configmap-crd-11.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: {{ .Release.Namespace }} - name: istio-crd-11 -data: - crd-11.yaml: |- -{{.Files.Get "files/crd-11.yaml" | printf "%s" | indent 4}} diff --git a/manager/manifests/istio-init/templates/configmap-crd-12.yaml b/manager/manifests/istio-init/templates/configmap-crd-12.yaml deleted file mode 100644 index a497365344..0000000000 --- a/manager/manifests/istio-init/templates/configmap-crd-12.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: {{ .Release.Namespace }} - name: istio-crd-12 -data: - crd-12.yaml: |- -{{.Files.Get "files/crd-12.yaml" | printf "%s" | indent 4}} diff --git a/manager/manifests/istio-init/templates/configmap-crd-certmanager-10.yaml b/manager/manifests/istio-init/templates/configmap-crd-certmanager-10.yaml deleted file mode 100644 index 8ab3e83568..0000000000 --- a/manager/manifests/istio-init/templates/configmap-crd-certmanager-10.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.certmanager.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: {{ .Release.Namespace }} - name: istio-crd-certmanager-10 -data: - crd-certmanager-10.yaml: |- -{{.Files.Get "files/crd-certmanager-10.yaml" | printf "%s" | indent 4}} -{{- end }} diff --git a/manager/manifests/istio-init/templates/configmap-crd-certmanager-11.yaml b/manager/manifests/istio-init/templates/configmap-crd-certmanager-11.yaml deleted file mode 100644 index beef3043d0..0000000000 --- a/manager/manifests/istio-init/templates/configmap-crd-certmanager-11.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.certmanager.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: {{ .Release.Namespace }} - name: istio-crd-certmanager-11 -data: - crd-certmanager-11.yaml: |- -{{.Files.Get "files/crd-certmanager-11.yaml" | printf "%s" | indent 4}} -{{- end }} diff --git a/manager/manifests/istio-init/templates/job-crd-10.yaml b/manager/manifests/istio-init/templates/job-crd-10.yaml deleted file mode 100644 index 87d6469157..0000000000 --- a/manager/manifests/istio-init/templates/job-crd-10.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - namespace: {{ .Release.Namespace }} - name: istio-init-crd-10 -spec: - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-init-service-account - containers: - - name: istio-init-crd-10 - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - volumeMounts: - - name: crd-10 - mountPath: /etc/istio/crd-10 - readOnly: true - command: ["kubectl", "apply", "-f", "/etc/istio/crd-10/crd-10.yaml"] - volumes: - - name: crd-10 - configMap: - name: istio-crd-10 - restartPolicy: OnFailure diff --git a/manager/manifests/istio-init/templates/job-crd-11.yaml b/manager/manifests/istio-init/templates/job-crd-11.yaml deleted file mode 100644 index 0f3a4b895d..0000000000 --- a/manager/manifests/istio-init/templates/job-crd-11.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - namespace: {{ .Release.Namespace }} - name: istio-init-crd-11 -spec: - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-init-service-account - containers: - - name: istio-init-crd-11 - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - volumeMounts: - - name: crd-11 - mountPath: /etc/istio/crd-11 - readOnly: true - command: ["kubectl", "apply", "-f", "/etc/istio/crd-11/crd-11.yaml"] - volumes: - - name: crd-11 - configMap: - name: istio-crd-11 - restartPolicy: OnFailure diff --git a/manager/manifests/istio-init/templates/job-crd-12.yaml b/manager/manifests/istio-init/templates/job-crd-12.yaml deleted file mode 100644 index a8d483cf3e..0000000000 --- a/manager/manifests/istio-init/templates/job-crd-12.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - namespace: {{ .Release.Namespace }} - name: istio-init-crd-12 -spec: - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-init-service-account - containers: - - name: istio-init-crd-12 - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - volumeMounts: - - name: crd-12 - mountPath: /etc/istio/crd-12 - readOnly: true - command: ["kubectl", "apply", "-f", "/etc/istio/crd-12/crd-12.yaml"] - volumes: - - name: crd-12 - configMap: - name: istio-crd-12 - restartPolicy: OnFailure diff --git a/manager/manifests/istio-init/templates/job-crd-certmanager-10.yaml b/manager/manifests/istio-init/templates/job-crd-certmanager-10.yaml deleted file mode 100644 index 028df6e6c9..0000000000 --- a/manager/manifests/istio-init/templates/job-crd-certmanager-10.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.certmanager.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - namespace: {{ .Release.Namespace }} - name: istio-init-crd-certmanager-10 -spec: - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-init-service-account - containers: - - name: istio-init-crd-certmanager-10 - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - volumeMounts: - - name: crd-certmanager-10 - mountPath: /etc/istio/crd-certmanager-10 - readOnly: true - command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-10/crd-certmanager-10.yaml"] - volumes: - - name: crd-certmanager-10 - configMap: - name: istio-crd-certmanager-10 - restartPolicy: OnFailure -{{- end }} diff --git a/manager/manifests/istio-init/templates/job-crd-certmanager-11.yaml b/manager/manifests/istio-init/templates/job-crd-certmanager-11.yaml deleted file mode 100644 index 1b6cb4e354..0000000000 --- a/manager/manifests/istio-init/templates/job-crd-certmanager-11.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.certmanager.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - namespace: {{ .Release.Namespace }} - name: istio-init-crd-certmanager-11 -spec: - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-init-service-account - containers: - - name: istio-init-crd-certmanager-11 - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - volumeMounts: - - name: crd-certmanager-11 - mountPath: /etc/istio/crd-certmanager-11 - readOnly: true - command: ["kubectl", "apply", "-f", "/etc/istio/crd-certmanager-11/crd-certmanager-11.yaml"] - volumes: - - name: crd-certmanager-11 - configMap: - name: istio-crd-certmanager-11 - restartPolicy: OnFailure -{{- end }} diff --git a/manager/manifests/istio-init/templates/serviceaccount.yaml b/manager/manifests/istio-init/templates/serviceaccount.yaml deleted file mode 100644 index f9d7bc2144..0000000000 --- a/manager/manifests/istio-init/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-init-service-account - namespace: {{ .Release.Namespace }} - labels: - app: istio-init - istio: init diff --git a/manager/manifests/istio-init/values.yaml b/manager/manifests/istio-init/values.yaml deleted file mode 100644 index c28caa7b9e..0000000000 --- a/manager/manifests/istio-init/values.yaml +++ /dev/null @@ -1,16 +0,0 @@ -global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.2.2 - - # imagePullPolicy is applied to istio control plane components. - # local tests require IfNotPresent, to avoid uploading to dockerhub. - # TODO: Switch to Always as default, and override in the local tests. - imagePullPolicy: IfNotPresent - -certmanager: - enabled: false diff --git a/manager/manifests/istio/values.yaml b/manager/manifests/istio.yaml similarity index 97% rename from manager/manifests/istio/values.yaml rename to manager/manifests/istio.yaml index b1db2a60e2..ce93ecc8c4 100644 --- a/manager/manifests/istio/values.yaml +++ b/manager/manifests/istio.yaml @@ -1,16 +1,17 @@ -# Top level istio values file has the following sections. +# Copyright 2019 Cortex Labs, Inc. # -# global: This file is the authoritative and exhaustive source for the global section. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at # -# chart sections: Every subdirectory inside the charts/ directory has a top level -# configuration key in this file. This file overrides the values specified -# by the charts/${chartname}/values.yaml. -# Check the chart level values file for exhaustive list of configuration options. - -# -# Gateways Configuration, refer to the charts/gateways/values.yaml -# for detailed configuration +# http://www.apache.org/licenses/LICENSE-2.0 # +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + gateways: enabled: true istio-ingressgateway: @@ -147,10 +148,10 @@ galley: mixer: policy: # if policy is enabled the global.disablePolicyChecks has affect. - enabled: true + enabled: false telemetry: - enabled: true + enabled: false # # pilot configuration # @@ -180,7 +181,7 @@ grafana: # addon prometheus configuration # prometheus: - enabled: true + enabled: false # # addon jaeger tracing configuration diff --git a/manager/manifests/istio/Chart.yaml b/manager/manifests/istio/Chart.yaml deleted file mode 100644 index 7b6f78b890..0000000000 --- a/manager/manifests/istio/Chart.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -name: istio -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2-0" -description: Helm chart for all istio components -keywords: - - istio - - security - - sidecarInjectorWebhook - - mixer - - pilot - - galley -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/certmanager/Chart.yaml b/manager/manifests/istio/charts/certmanager/Chart.yaml deleted file mode 100644 index 087e8e0146..0000000000 --- a/manager/manifests/istio/charts/certmanager/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -description: A Helm chart for Kubernetes -name: certmanager -version: 1.2.2 -appVersion: 0.6.2 -tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/certmanager/templates/NOTES.txt b/manager/manifests/istio/charts/certmanager/templates/NOTES.txt deleted file mode 100644 index 44893d41a3..0000000000 --- a/manager/manifests/istio/charts/certmanager/templates/NOTES.txt +++ /dev/null @@ -1,6 +0,0 @@ -certmanager has been deployed successfully! - -More information on the different types of issuers and how to configure them -can be found in our documentation: - -https://cert-manager.readthedocs.io/en/latest/reference/issuers.html diff --git a/manager/manifests/istio/charts/certmanager/templates/_helpers.tpl b/manager/manifests/istio/charts/certmanager/templates/_helpers.tpl deleted file mode 100644 index 331a91d433..0000000000 --- a/manager/manifests/istio/charts/certmanager/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "certmanager.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "certmanager.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "certmanager.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/certmanager/templates/deployment.yaml b/manager/manifests/istio/charts/certmanager/templates/deployment.yaml deleted file mode 100644 index e904da791c..0000000000 --- a/manager/manifests/istio/charts/certmanager/templates/deployment.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: certmanager - namespace: {{ .Release.Namespace }} - labels: - app: certmanager - chart: {{ template "certmanager.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: certmanager - template: - metadata: - labels: - app: certmanager - chart: {{ template "certmanager.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - {{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} - {{- end }} - annotations: - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: - serviceAccountName: certmanager -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: certmanager - image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - args: - - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=$(POD_NAMESPACE) - {{- if .Values.extraArgs }} -{{ toYaml .Values.extraArgs | indent 8 }} - {{- end }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: -{{ toYaml .Values.resources | indent 10 }} - {{- if .Values.podDnsPolicy }} - dnsPolicy: {{ .Values.podDnsPolicy }} - {{- end }} - {{- if .Values.podDnsConfig }} - dnsConfig: - {{ toYaml .Values.podDnsConfig | indent 8 }} - {{- end }} - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/certmanager/templates/issuer.yaml b/manager/manifests/istio/charts/certmanager/templates/issuer.yaml deleted file mode 100644 index 59402daea2..0000000000 --- a/manager/manifests/istio/charts/certmanager/templates/issuer.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging - namespace: {{ .Release.Namespace }} - labels: - app: certmanager - chart: {{ template "certmanager.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: {{ .Values.email }} - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - http01: {} ---- -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: letsencrypt - namespace: {{ .Release.Namespace }} - labels: - app: certmanager - chart: {{ template "certmanager.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - email: {{ .Values.email }} - privateKeySecretRef: - name: letsencrypt - http01: {} diff --git a/manager/manifests/istio/charts/certmanager/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/certmanager/templates/poddisruptionbudget.yaml deleted file mode 100644 index b251e3653f..0000000000 --- a/manager/manifests/istio/charts/certmanager/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: certmanager - namespace: {{ .Release.Namespace }} - labels: - app: certmanager - chart: {{ template "certmanager.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - version: {{ .Chart.Version }} - {{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 4 }} - {{- end }} -spec: -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} -{{- end }} - selector: - matchLabels: - app: certmanager - release: {{ .Release.Name }} -{{- end }} diff --git a/manager/manifests/istio/charts/certmanager/templates/rbac.yaml b/manager/manifests/istio/charts/certmanager/templates/rbac.yaml deleted file mode 100644 index b3a4ef3401..0000000000 --- a/manager/manifests/istio/charts/certmanager/templates/rbac.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: certmanager - labels: - app: certmanager - chart: {{ template "certmanager.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: - - apiGroups: ["certmanager.k8s.io"] - resources: ["certificates", "certificates/finalizers", "issuers", "clusterissuers", "orders", "orders/finalizers", "challenges"] - verbs: ["*"] - - apiGroups: [""] - resources: ["configmaps", "secrets", "events", "services", "pods"] - verbs: ["*"] - - apiGroups: ["extensions"] - resources: ["ingresses"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: certmanager - labels: - app: certmanager - chart: {{ template "certmanager.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: certmanager -subjects: - - name: certmanager - namespace: {{ .Release.Namespace }} - kind: ServiceAccount diff --git a/manager/manifests/istio/charts/certmanager/templates/serviceaccount.yaml b/manager/manifests/istio/charts/certmanager/templates/serviceaccount.yaml deleted file mode 100644 index f875435088..0000000000 --- a/manager/manifests/istio/charts/certmanager/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: certmanager - namespace: {{ .Release.Namespace }} - labels: - app: certmanager - chart: {{ template "certmanager.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/certmanager/values.yaml b/manager/manifests/istio/charts/certmanager/values.yaml deleted file mode 100644 index 0685fc3c11..0000000000 --- a/manager/manifests/istio/charts/certmanager/values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Certmanager uses ACME to sign certificates. Since Istio gateways are -# mounting the TLS secrets the Certificate CRDs must be created in the -# istio-system namespace. Once the certificate has been created, the -# gateway must be updated by adding 'secretVolumes'. After the gateway -# restart, DestinationRules can be created using the ACME-signed certificates. -enabled: false -replicaCount: 1 -hub: quay.io/jetstack -tag: v0.6.2 -resources: {} -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/galley/Chart.yaml b/manager/manifests/istio/charts/galley/Chart.yaml deleted file mode 100644 index d9697db8b5..0000000000 --- a/manager/manifests/istio/charts/galley/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: galley -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2" -description: Helm chart for galley deployment -keywords: - - istio - - galley -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/galley/templates/_helpers.tpl b/manager/manifests/istio/charts/galley/templates/_helpers.tpl deleted file mode 100644 index 5d42f4a033..0000000000 --- a/manager/manifests/istio/charts/galley/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "galley.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "galley.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "galley.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/galley/templates/clusterrole.yaml b/manager/manifests/istio/charts/galley/templates/clusterrole.yaml deleted file mode 100644 index 6385c88829..0000000000 --- a/manager/manifests/istio/charts/galley/templates/clusterrole.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-galley-{{ .Release.Namespace }} - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["*"] -- apiGroups: ["config.istio.io"] # istio mixer CRD watcher - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: ["networking.istio.io"] - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: ["authentication.istio.io"] - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: ["rbac.istio.io"] - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions","apps"] - resources: ["deployments"] - resourceNames: ["istio-galley"] - verbs: ["get"] -- apiGroups: [""] - resources: ["pods", "nodes", "services", "endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions"] - resources: ["deployments/finalizers"] - resourceNames: ["istio-galley"] - verbs: ["update"] diff --git a/manager/manifests/istio/charts/galley/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/galley/templates/clusterrolebinding.yaml deleted file mode 100644 index 88cde2554b..0000000000 --- a/manager/manifests/istio/charts/galley/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-galley-admin-role-binding-{{ .Release.Namespace }} - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-galley-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-galley-service-account - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/galley/templates/configmap.yaml b/manager/manifests/istio/charts/galley/templates/configmap.yaml deleted file mode 100644 index 1b71968d64..0000000000 --- a/manager/manifests/istio/charts/galley/templates/configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-galley-configuration - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: galley -data: - validatingwebhookconfiguration.yaml: |- - {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} diff --git a/manager/manifests/istio/charts/galley/templates/deployment.yaml b/manager/manifests/istio/charts/galley/templates/deployment.yaml deleted file mode 100644 index e6ae59caf1..0000000000 --- a/manager/manifests/istio/charts/galley/templates/deployment.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-galley - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: galley -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - istio: galley - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: galley - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-galley-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: galley -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 443 - - containerPort: {{ .Values.global.monitoringPort }} - - containerPort: 9901 - command: - - /usr/local/bin/galley - - server - - --meshConfigFile=/etc/mesh-config/mesh - - --livenessProbeInterval=1s - - --livenessProbePath=/healthliveness - - --readinessProbePath=/healthready - - --readinessProbeInterval=1s - - --deployment-namespace={{ .Release.Namespace }} -{{- if $.Values.global.controlPlaneSecurityEnabled}} - - --insecure=false -{{- else }} - - --insecure=true -{{- end }} -{{- if not $.Values.global.useMCP }} - - --enable-server=false -{{- end }} - - --validation-webhook-config-file - - /etc/config/validatingwebhookconfiguration.yaml - - --monitoringPort={{ .Values.global.monitoringPort }} -{{- if $.Values.global.logging.level }} - - --log_output_level={{ $.Values.global.logging.level }} -{{- end}} - volumeMounts: - - name: certs - mountPath: /etc/certs - readOnly: true - - name: config - mountPath: /etc/config - readOnly: true - - name: mesh-config - mountPath: /etc/mesh-config - readOnly: true - livenessProbe: - exec: - command: - - /usr/local/bin/galley - - probe - - --probe-path=/healthliveness - - --interval=10s - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - exec: - command: - - /usr/local/bin/galley - - probe - - --probe-path=/healthready - - --interval=10s - initialDelaySeconds: 5 - periodSeconds: 5 - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - volumes: - - name: certs - secret: - secretName: istio.istio-galley-service-account - - name: config - configMap: - name: istio-galley-configuration - - name: mesh-config - configMap: - name: istio - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/galley/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/galley/templates/poddisruptionbudget.yaml deleted file mode 100644 index 75bf77834a..0000000000 --- a/manager/manifests/istio/charts/galley/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-galley - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: galley -spec: -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} -{{- end }} - selector: - matchLabels: - app: {{ template "galley.name" . }} - release: {{ .Release.Name }} - istio: galley -{{- end }} diff --git a/manager/manifests/istio/charts/galley/templates/service.yaml b/manager/manifests/istio/charts/galley/templates/service.yaml deleted file mode 100644 index cd21fd1925..0000000000 --- a/manager/manifests/istio/charts/galley/templates/service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istio-galley - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: galley -spec: - ports: - - port: 443 - name: https-validation - - port: {{ .Values.global.monitoringPort }} - name: http-monitoring - - port: 9901 - name: grpc-mcp - selector: - istio: galley diff --git a/manager/manifests/istio/charts/galley/templates/serviceaccount.yaml b/manager/manifests/istio/charts/galley/templates/serviceaccount.yaml deleted file mode 100644 index 1ff54c49e7..0000000000 --- a/manager/manifests/istio/charts/galley/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-galley-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl b/manager/manifests/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl deleted file mode 100644 index 7847d2433c..0000000000 --- a/manager/manifests/istio/charts/galley/templates/validatingwebhookconfiguration.yaml.tpl +++ /dev/null @@ -1,120 +0,0 @@ -{{ define "validatingwebhookconfiguration.yaml.tpl" }} -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-galley - labels: - app: {{ template "galley.name" . }} - chart: {{ template "galley.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: galley -webhooks: -{{- if .Values.global.configValidation }} - - name: pilot.validation.istio.io - clientConfig: - service: - name: istio-galley - namespace: {{ .Release.Namespace }} - path: "/admitpilot" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - apiVersions: - - v1alpha2 - resources: - - httpapispecs - - httpapispecbindings - - quotaspecs - - quotaspecbindings - - operations: - - CREATE - - UPDATE - apiGroups: - - rbac.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - authentication.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - networking.istio.io - apiVersions: - - "*" - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - failurePolicy: Fail - sideEffects: None - - name: mixer.validation.istio.io - clientConfig: - service: - name: istio-galley - namespace: {{ .Release.Namespace }} - path: "/admitmixer" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - apiVersions: - - v1alpha2 - resources: - - rules - - attributemanifests - - circonuses - - deniers - - fluentds - - kubernetesenvs - - listcheckers - - memquotas - - noops - - opas - - prometheuses - - rbacs - - solarwindses - - stackdrivers - - cloudwatches - - dogstatsds - - statsds - - stdios - - apikeys - - authorizations - - checknothings - # - kuberneteses - - listentries - - logentries - - metrics - - quotas - - reportnothings - - tracespans - - adapters - - handlers - - instances - - templates - - zipkins - failurePolicy: Fail - sideEffects: None -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/galley/values.yaml b/manager/manifests/istio/charts/galley/values.yaml deleted file mode 100644 index 24c0ddf31c..0000000000 --- a/manager/manifests/istio/charts/galley/values.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# -# galley configuration -# -enabled: true -replicaCount: 1 -image: galley -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/gateways/Chart.yaml b/manager/manifests/istio/charts/gateways/Chart.yaml deleted file mode 100644 index cd08e7cfe8..0000000000 --- a/manager/manifests/istio/charts/gateways/Chart.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -name: gateways -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio gateways -keywords: - - istio - - ingressgateway - - egressgateway - - gateways -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/gateways/templates/_affinity.tpl b/manager/manifests/istio/charts/gateways/templates/_affinity.tpl deleted file mode 100644 index 8e216de2c8..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/_affinity.tpl +++ /dev/null @@ -1,93 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{- define "gatewaynodeaffinity" }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "gatewayNodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "gatewayNodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "gatewayNodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .root.Values.global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .root.Values.global.defaultNodeSelector .nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val }} - {{- end }} -{{- end }} - -{{- define "gatewayNodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .root.Values.global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - {{ $key }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "gatewaypodAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "gatewaypodAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "gatewaypodAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "gatewaypodAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- end }} -{{- end }} - -{{- define "gatewaypodAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/_helpers.tpl b/manager/manifests/istio/charts/gateways/templates/_helpers.tpl deleted file mode 100644 index bfc8bc4004..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "gateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "gateway.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gateway.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/gateways/templates/autoscale.yaml b/manager/manifests/istio/charts/gateways/templates/autoscale.yaml deleted file mode 100644 index 2455ac3450..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/autoscale.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if ne $key "enabled" }} -{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $key }} - namespace: {{ $spec.namespace | default $.Release.Namespace }} - labels: - chart: {{ template "gateway.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} -spec: - maxReplicas: {{ $spec.autoscaleMax }} - minReplicas: {{ $spec.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $key }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/deployment.yaml b/manager/manifests/istio/charts/gateways/templates/deployment.yaml deleted file mode 100644 index bf34434a0d..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/deployment.yaml +++ /dev/null @@ -1,318 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if ne $key "enabled" }} -{{- if $spec.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $key }} - namespace: {{ $spec.namespace | default $.Release.Namespace }} - labels: - chart: {{ template "gateway.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} -spec: -{{- if not $spec.autoscaleEnabled }} -{{- if $spec.replicaCount }} - replicas: {{ $spec.replicaCount }} -{{- else }} - replicas: 1 -{{- end }} -{{- end }} - selector: - matchLabels: - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} - template: - metadata: - labels: - chart: {{ template "gateway.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if $spec.podAnnotations }} -{{ toYaml $spec.podAnnotations | indent 8 }} -{{ end }} - spec: - serviceAccountName: {{ $key }}-service-account -{{- if $.Values.global.priorityClassName }} - priorityClassName: "{{ $.Values.global.priorityClassName }}" -{{- end }} -{{- if $.Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" $.Values.global.proxy_init.image }} - image: "{{ $.Values.global.proxy_init.image }}" -{{- else }} - image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy_init.image }}:{{ $.Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ $.Values.global.imagePullPolicy }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited - securityContext: - privileged: true -{{- end }} - containers: -{{- if $spec.sds }} -{{- if $spec.sds.enabled }} - - name: ingress-sds -{{- if contains "/" $spec.sds.image }} - image: "{{ $spec.sds.image }}" -{{- else }} - image: "{{ $.Values.global.hub }}/{{ $spec.sds.image }}:{{ $.Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ $.Values.global.imagePullPolicy }} - resources: -{{- if $spec.sds.resources }} -{{ toYaml $spec.sds.resources | indent 12 }} -{{- else }} -{{ toYaml $.Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: "ENABLE_WORKLOAD_SDS" - value: "false" - - name: "ENABLE_INGRESS_GATEWAY_SDS" - value: "true" - - name: "INGRESS_GATEWAY_NAMESPACE" - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - name: ingressgatewaysdsudspath - mountPath: /var/run/ingress_gateway -{{- end }} -{{- end }} - - name: istio-proxy -{{- if contains "/" $.Values.global.proxy.image }} - image: "{{ $.Values.global.proxy.image }}" -{{- else }} - image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ $.Values.global.imagePullPolicy }} - ports: - {{- range $key, $val := $spec.ports }} - - containerPort: {{ $val.port }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }} - {{- if $.Values.global.proxy.logLevel }} - - --proxyLogLevel={{ $.Values.global.proxy.logLevel }} - {{- end}} - {{- if $.Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ $.Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if $.Values.global.logging.level }} - - --log_output_level={{ $.Values.global.logging.level }} - {{- end}} - - --drainDuration - - '45s' #drainDuration - - --parentShutdownDuration - - '1m0s' #parentShutdownDuration - - --connectTimeout - - '10s' #connectTimeout - - --serviceCluster - - {{ $key }} - - --zipkinAddress - {{- if $.Values.global.tracer.zipkin.address }} - - {{ $.Values.global.tracer.zipkin.address }} - {{- else if $.Values.global.istioNamespace }} - - zipkin.{{ $.Values.global.istioNamespace }}:9411 - {{- else }} - - zipkin:9411 - {{- end }} - {{- if $.Values.global.proxy.envoyStatsd.enabled }} - - --statsdUdpAddress - - {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }} - {{- end }} - {{- if $.Values.global.proxy.envoyMetricsService.enabled }} - - --envoyMetricsServiceAddress - - {{ $.Values.global.proxy.envoyMetricsService.host }}:{{ $.Values.global.proxy.envoyMetricsService.port }} - {{- end }} - - --proxyAdminPort - - "15000" - - --statusPort - - "15020" - {{- if $.Values.global.controlPlaneSecurityEnabled }} - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --discoveryAddress - {{- if $.Values.global.istioNamespace }} - - istio-pilot.{{ $.Values.global.istioNamespace }}:15011 - {{- else }} - - istio-pilot:15011 - {{- end }} - {{- else }} - - --controlPlaneAuthPolicy - - NONE - - --discoveryAddress - {{- if $.Values.global.istioNamespace }} - - istio-pilot.{{ $.Values.global.istioNamespace }}:15010 - {{- else }} - - istio-pilot:15010 - {{- end }} - {{- if $spec.applicationPorts }} - - --applicationPorts - - "{{ $spec.applicationPorts }}" - {{- end }} - {{- end }} - {{- if $.Values.global.trustDomain }} - - --trust-domain={{ $.Values.global.trustDomain }} - {{- end }} - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $spec.resources }} -{{ toYaml $spec.resources | indent 12 }} -{{- else }} -{{ toYaml $.Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if $spec.sds }} - {{- if $spec.sds.enabled }} - - name: ISTIO_META_USER_SDS - value: "true" - {{- end }} - {{- end }} - {{- if $spec.env }} - {{- range $key, $val := $spec.env }} - - name: {{ $key }} - value: {{ $val }} - {{- end }} - {{- end }} - volumeMounts: - {{- if $.Values.global.sds.enabled }} - - name: sdsudspath - mountPath: /var/run/sds - readOnly: true - {{- if $.Values.global.sds.useTrustworthyJwt }} - - name: istio-token - mountPath: /var/run/secrets/tokens - {{- end }} - {{- end }} - {{- if $spec.sds }} - {{- if $spec.sds.enabled }} - - name: ingressgatewaysdsudspath - mountPath: /var/run/ingress_gateway - {{- end }} - {{- end }} - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- range $spec.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} -{{- if $spec.additionalContainers }} -{{ toYaml $spec.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- if $spec.sds }} - {{- if $spec.sds.enabled }} - - name: ingressgatewaysdsudspath - emptyDir: {} - {{- end }} - {{- end }} - {{- if $.Values.global.sds.enabled }} - - name: sdsudspath - hostPath: - path: /var/run/sds - {{- if $.Values.global.sds.useTrustworthyJwt }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ $.Values.global.trustDomain }} - {{- end }} - {{- end }} - - name: istio-certs - secret: - secretName: istio.{{ $key }}-service-account - optional: true - {{- range $spec.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $spec.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: - {{- include "gatewaynodeaffinity" (dict "root" $ "nodeSelector" $spec.nodeSelector) | indent 6 }} - {{- include "gatewaypodAntiAffinity" (dict "podAntiAffinityLabelSelector" $spec.podAntiAffinityLabelSelector "podAntiAffinityTermLabelSelector" $spec.podAntiAffinityTermLabelSelector) | indent 6 }} - {{- if $spec.tolerations }} - tolerations: -{{ toYaml $spec.tolerations | indent 6 }} - {{- else if $.Values.global.defaultTolerations }} - tolerations: -{{ toYaml $.Values.global.defaultTolerations | indent 6 }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/gateways/templates/poddisruptionbudget.yaml deleted file mode 100644 index 36a2d5a9cb..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if and (ne $key "enabled") }} -{{- if $spec.enabled }} -{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ $key }} - namespace: {{ $spec.namespace | default $.Release.Namespace }} - labels: - chart: {{ template "gateway.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} -spec: -{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} -{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }} -{{- end }} - selector: - matchLabels: - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml b/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml deleted file mode 100644 index 766cfa684e..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/preconfigured.yaml +++ /dev/null @@ -1,239 +0,0 @@ -{{- if .Values.global.k8sIngress.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-autogenerated-k8s-ingress - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "gateway.name" . }} - chart: {{ template "gateway.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - istio: {{ .Values.global.k8sIngress.gatewayName }} - servers: - - port: - number: 80 - protocol: HTTP2 - name: http - hosts: - - "*" -{{ if .Values.global.k8sIngress.enableHttps }} - - port: - number: 443 - protocol: HTTPS - name: https-default - tls: - mode: SIMPLE - serverCertificate: /etc/istio/ingress-certs/tls.crt - privateKey: /etc/istio/ingress-certs/tls.key - hosts: - - "*" -{{ end }} ---- -{{ end }} - -{{- if .Values.global.meshExpansion.enabled }} -{{- if .Values.global.meshExpansion.useILB }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: meshexpansion-ilb-gateway - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "gateway.name" . }} - chart: {{ template "gateway.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - istio: ilbgateway - servers: - - port: - number: 15011 - protocol: TCP - name: tcp-pilot - hosts: - - "*" - - port: - number: 8060 - protocol: TCP - name: tcp-citadel - hosts: - - "*" - - port: - number: 15004 - name: tls-mixer - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH - hosts: - - "*" ---- -{{- else }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: meshexpansion-gateway - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "gateway.name" . }} - chart: {{ template "gateway.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - {{- range $key, $spec := .Values }} - {{- if eq $key "istio-ingressgateway" }} - {{- if $spec.enabled }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - servers: - - port: - number: 15011 - protocol: TCP - name: tcp-pilot - hosts: - - "*" - - port: - number: 8060 - protocol: TCP - name: tcp-citadel - hosts: - - "*" - - port: - number: 15004 - name: tls-mixer - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH - hosts: - - "*" ---- -{{- end }} -{{- end }} - -{{- if .Values.global.multiCluster.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-multicluster-egressgateway - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "gateway.name" . }} - chart: {{ template "gateway.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - {{- range $key, $spec := .Values }} - {{- if eq $key "istio-egressgateway" }} - {{- if $spec.enabled }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - servers: - - hosts: - - "*.global" - port: - name: tls - number: 15443 - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH ---- -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "gateway.name" . }} - chart: {{ template "gateway.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - {{- range $key, $spec := .Values }} - {{- if eq $key "istio-ingressgateway" }} - {{- if $spec.enabled }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - servers: - - hosts: - - "*.global" - port: - name: tls - number: 15443 - protocol: TLS - tls: - mode: AUTO_PASSTHROUGH ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: istio-multicluster-ingressgateway - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "gateway.name" . }} - chart: {{ template "gateway.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - workloadLabels: - {{- range $key, $spec := .Values }} - {{- if eq $key "istio-ingressgateway" }} - {{- if $spec.enabled }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - filters: - - listenerMatch: - portNumber: 15443 - listenerType: GATEWAY - insertPosition: - index: AFTER - relativeTo: envoy.filters.network.sni_cluster - filterName: envoy.filters.network.tcp_cluster_rewrite - filterType: NETWORK - filterConfig: - cluster_pattern: "\\.global$" - cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" ---- -## To ensure all traffic to *.global is using mTLS -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-multicluster-destinationrule - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "gateway.name" . }} - chart: {{ template "gateway.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - host: "*.global" - {{- if .Values.global.defaultConfigVisibilitySettings }} - exportTo: - - '*' - {{- end }} - trafficPolicy: - tls: - mode: ISTIO_MUTUAL ---- -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/role.yaml b/manager/manifests/istio/charts/gateways/templates/role.yaml deleted file mode 100644 index de46604421..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if ne $key "enabled" }} -{{- if $spec.enabled }} -{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $key }}-sds - namespace: {{ $.Release.Namespace }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/rolebindings.yaml b/manager/manifests/istio/charts/gateways/templates/rolebindings.yaml deleted file mode 100644 index 4bb30150d7..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/rolebindings.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if ne $key "enabled" }} -{{- if $spec.enabled }} -{{- if ($spec.sds) and (eq $spec.sds.enabled true) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $key }}-sds - namespace: {{ $.Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $key }}-sds -subjects: -- kind: ServiceAccount - name: {{ $key }}-service-account ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/service.yaml b/manager/manifests/istio/charts/gateways/templates/service.yaml deleted file mode 100644 index 9474f04769..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if ne $key "enabled" }} -{{- if $spec.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $key }} - namespace: {{ $spec.namespace | default $.Release.Namespace }} - annotations: - {{- range $key, $val := $spec.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: - chart: {{ template "gateway.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} -spec: -{{- if $spec.loadBalancerIP }} - loadBalancerIP: "{{ $spec.loadBalancerIP }}" -{{- end }} -{{- if $spec.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $spec.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $spec.externalTrafficPolicy }} - externalTrafficPolicy: {{$spec.externalTrafficPolicy }} -{{- end }} -{{- if $spec.externalIPs }} - externalIPs: -{{ toYaml $spec.externalIPs | indent 4 }} -{{- end }} - type: {{ .type }} - selector: - release: {{ $.Release.Name }} - {{- range $key, $val := $spec.labels }} - {{ $key }}: {{ $val }} - {{- end }} - ports: - {{- range $key, $val := $spec.ports }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - {{- if $.Values.global.meshExpansion.enabled }} - {{- range $key, $val := $spec.meshExpansionPorts }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - {{- end }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml b/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml deleted file mode 100644 index cb6d6890d4..0000000000 --- a/manager/manifests/istio/charts/gateways/templates/serviceaccount.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if ne $key "enabled" }} -{{- if $spec.enabled }} -apiVersion: v1 -kind: ServiceAccount -{{- if $.Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range $.Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $key }}-service-account - namespace: {{ $spec.namespace | default $.Release.Namespace }} - labels: - app: {{ $spec.labels.app }} - chart: {{ template "gateway.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/gateways/values.yaml b/manager/manifests/istio/charts/gateways/values.yaml deleted file mode 100644 index 1525cc34cc..0000000000 --- a/manager/manifests/istio/charts/gateways/values.yaml +++ /dev/null @@ -1,281 +0,0 @@ -# -# Gateways Configuration -# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. -# You can add more gateways in addition to the defaults but make sure those are uniquely named -# and that NodePorts are not conflicting. -# Disable specifc gateway by setting the `enabled` to false. -# -enabled: true - -istio-ingressgateway: - enabled: true - # - # Secret Discovery Service (SDS) configuration for ingress gateway. - # - sds: - # If true, ingress gateway fetches credentials from SDS server to handle TLS connections. - enabled: false - # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway. - # This server runs in the same pod as ingress gateway. - image: node-agent-k8s - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - labels: - app: istio-ingressgateway - istio: ingressgateway - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - # specify replicaCount when autoscaleEnabled: false - # replicaCount: 1 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - cpu: - targetAverageUtilization: 80 - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalIPs: [] - serviceAnnotations: {} - podAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out - ports: - ## You can add custom gateway ports - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15020 - targetPort: 15020 - name: status-port - - port: 80 - targetPort: 80 - name: http2 - nodePort: 31380 - - port: 443 - name: https - nodePort: 31390 - # Example of a port to add. Remove if not needed - - port: 31400 - name: tcp - nodePort: 31400 - ### PORTS FOR UI/metrics ##### - ## Disable if not needed - - port: 15029 - targetPort: 15029 - name: https-kiali - - port: 15030 - targetPort: 15030 - name: https-prometheus - - port: 15031 - targetPort: 15031 - name: https-grafana - - port: 15032 - targetPort: 15032 - name: https-tracing - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - #### MESH EXPANSION PORTS ######## - # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect - # to pilot/citadel if global.meshExpansion settings are enabled. - # Delete these ports if mesh expansion is not enabled, to avoid - # exposing unnecessary ports on the web. - # You can remove these ports if you are not using mesh expansion - meshExpansionPorts: - - port: 15011 - targetPort: 15011 - name: tcp-pilot-grpc-tls - - port: 15004 - targetPort: 15004 - name: tcp-mixer-grpc-tls - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - - port: 853 - targetPort: 853 - name: tcp-dns-tls - ####### end MESH EXPANSION PORTS ###### - ############## - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - ### Advanced options ############ - - # Ports to explicitly check for readiness. If configured, the readiness check will expect a - # listener on these ports. A comma separated list is expected, such as "80,443". - # - # Warning: If you do not have a gateway configured for the ports provided, this check will always - # fail. This is intended for use cases where you always expect to have a listener on the port, - # such as 80 or 443 in typical setups. - applicationPorts: "" - - env: - # A gateway with this mode ensures that pilot generates an additional - # set of clusters for internal services but without Istio mTLS, to - # enable cross cluster routing. - ISTIO_META_ROUTER_MODE: "sni-dnat" - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote “hard” vs. “soft” requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # “security” and value “S1”. - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - -istio-egressgateway: - enabled: false - labels: - app: istio-egressgateway - istio: egressgateway - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - # specify replicaCount when autoscaleEnabled: false - # replicaCount: 1 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 256Mi - cpu: - targetAverageUtilization: 80 - serviceAnnotations: {} - podAnnotations: {} - type: ClusterIP #change to NodePort or LoadBalancer if need be - ports: - - port: 80 - name: http2 - - port: 443 - name: https - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - secretVolumes: - - name: egressgateway-certs - secretName: istio-egressgateway-certs - mountPath: /etc/istio/egressgateway-certs - - name: egressgateway-ca-certs - secretName: istio-egressgateway-ca-certs - mountPath: /etc/istio/egressgateway-ca-certs - #### Advanced options ######## - env: - # Set this to "external" if and only if you want the egress gateway to - # act as a transparent SNI gateway that routes mTLS/TLS traffic to - # external services defined using service entries, where the service - # entry has resolution set to DNS, has one or more endpoints with - # network field set to "external". By default its set to "" so that - # the egress gateway sees the same set of endpoints as the sidecars - # preserving backward compatibility - # ISTIO_META_REQUESTED_NETWORK_VIEW: "" - # A gateway with this mode ensures that pilot generates an additional - # set of clusters for internal services but without Istio mTLS, to - # enable cross cluster routing. - ISTIO_META_ROUTER_MODE: "sni-dnat" - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote “hard” vs. “soft” requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # “security” and value “S1”. - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - -# Mesh ILB gateway creates a gateway of type InternalLoadBalancer, -# for mesh expansion. It exposes the mtls ports for Pilot,CA as well -# as non-mtls ports to support upgrades and gradual transition. -istio-ilbgateway: - enabled: false - labels: - app: istio-ilbgateway - istio: ilbgateway - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - # specify replicaCount when autoscaleEnabled: false - # replicaCount: 1 - cpu: - targetAverageUtilization: 80 - resources: - requests: - cpu: 800m - memory: 512Mi - #limits: - # cpu: 1800m - # memory: 256Mi - loadBalancerIP: "" - serviceAnnotations: - cloud.google.com/load-balancer-type: "internal" - podAnnotations: {} - type: LoadBalancer - ports: - ## You can add custom gateway ports - google ILB default quota is 5 ports, - - port: 15011 - name: grpc-pilot-mtls - # Insecure port - only for migration from 0.8. Will be removed in 1.1 - - port: 15010 - name: grpc-pilot - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - # Port 5353 is forwarded to kube-dns - - port: 5353 - name: tcp-dns - secretVolumes: - - name: ilbgateway-certs - secretName: istio-ilbgateway-certs - mountPath: /etc/istio/ilbgateway-certs - - name: ilbgateway-ca-certs - secretName: istio-ilbgateway-ca-certs - mountPath: /etc/istio/ilbgateway-ca-certs - nodeSelector: {} - tolerations: [] diff --git a/manager/manifests/istio/charts/grafana/Chart.yaml b/manager/manifests/istio/charts/grafana/Chart.yaml deleted file mode 100644 index 1e951c944f..0000000000 --- a/manager/manifests/istio/charts/grafana/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -description: A Helm chart for Kubernetes -name: grafana -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/grafana/dashboards/galley-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/galley-dashboard.json deleted file mode 100644 index e4d7968003..0000000000 --- a/manager/manifests/istio/charts/grafana/dashboards/galley-dashboard.json +++ /dev/null @@ -1,1819 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "links": [], - "panels": [ - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 5, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 46, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build{component=\"galley\"}) by (tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Galley Versions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 5 - }, - "id": 40, - "panels": [], - "title": "Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 6, - "x": 0, - "y": 6 - }, - "id": 36, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Virtual Memory", - "refId": "A" - }, - { - "expr": "process_resident_memory_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory", - "refId": "B" - }, - { - "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "heap sys", - "refId": "C" - }, - { - "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "heap alloc", - "refId": "D" - }, - { - "expr": "go_memstats_alloc_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc", - "refId": "F" - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Heap in-use", - "refId": "G" - }, - { - "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use", - "refId": "H" - }, - { - "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Total (kis)", - "refId": "E" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 6, - "x": 6, - "y": 6 - }, - "id": 38, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A" - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B" - }, - { - "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "galley (self-reported)", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 6, - "x": 12, - "y": 6 - }, - "id": 42, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_open_fds{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Open FDs (galley)", - "refId": "A" - }, - { - "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }} ", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 6, - "x": 18, - "y": 6 - }, - "id": 44, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "goroutines_total", - "refId": "A" - }, - { - "expr": "galley_mcp_source_clients_total", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "clients_total", - "refId": "B" - }, - { - "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "avg_goroutines_per_client", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 14 - }, - "id": 10, - "panels": [], - "title": "Runtime", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 15 - }, - "id": 2, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Strategy Change Events", - "refId": "A" - }, - { - "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Processed Events", - "refId": "B" - }, - { - "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Snapshot Published", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Event Rates", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Events/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 15 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Max Time Reached", - "refId": "A" - }, - { - "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Quiesce Reached", - "refId": "B" - }, - { - "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Timer Resets", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Timer Rates", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Events/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 15 - }, - "id": 8, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 3, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "P50", - "refId": "A" - }, - { - "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "P90", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "P95", - "refId": "C" - }, - { - "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "P99", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Events Per Snapshot", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 21 - }, - "id": 6, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ typeURL }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "State Type Instances", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Count", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 27 - }, - "id": 34, - "panels": [], - "title": "Validation", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 28 - }, - "id": 28, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "galley_validation_cert_key_updates{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Key Updates", - "refId": "A" - }, - { - "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Key Update Errors: {{ error }}", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Validation Webhook Certificate", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 28 - }, - "id": 30, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", - "refId": "A" - }, - { - "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Resource Validation", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 28 - }, - "id": 32, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ status }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Validation HTTP Errors", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 34 - }, - "id": 12, - "panels": [], - "title": "Kubernetes Source", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 35 - }, - "id": 14, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(galley_source_kube_event_success_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Success", - "refId": "A" - }, - { - "expr": "rate(galley_source_kube_event_error_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Error", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Source Event Rate", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Events/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 35 - }, - "id": 16, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Kubernetes Object Conversion Successes", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Conversions/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 35 - }, - "id": 24, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Error", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Kubernetes Object Conversion Failures", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Failures/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 41 - }, - "id": 18, - "panels": [], - "title": "Mesh Configuration Protocol", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 42 - }, - "id": 20, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(galley_mcp_source_clients_total)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Clients", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Connected Clients", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 42 - }, - "id": 22, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Request ACKs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "ACKs/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 42 - }, - "id": 26, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Request NACKs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "NACKs/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Galley Dashboard", - "uid": "TSEY6jLmk", - "version": 1 -} diff --git a/manager/manifests/istio/charts/grafana/dashboards/istio-mesh-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/istio-mesh-dashboard.json deleted file mode 100644 index 99c911f4d2..0000000000 --- a/manager/manifests/istio/charts/grafana/dashboards/istio-mesh-dashboard.json +++ /dev/null @@ -1,953 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "5.2.3" - }, - { - "type": "panel", - "id": "graph", - "name": "Graph", - "version": "5.0.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "singlestat", - "name": "Singlestat", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "table", - "name": "Table", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "text", - "name": "Text", - "version": "5.0.0" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "id": null, - "links": [], - "panels": [ - { - "content": "
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
\n Need help? Join the Istio community.\n
\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 0 - }, - "height": "50px", - "id": 13, - "links": [], - "mode": "html", - "style": { - "font-size": "18pt" - }, - "title": "", - "transparent": true, - "type": "text" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 0, - "y": 3 - }, - "id": 20, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Global Request Volume", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 80, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": false - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 6, - "y": 3 - }, - "id": 21, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "95, 99, 99.5", - "title": "Global Success Rate (non-5xx responses)", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 12, - "y": 3 - }, - "id": 22, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "4xxs", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 18, - "y": 3 - }, - "id": 23, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "5xxs", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "columns": [], - "datasource": "Prometheus", - "fontSize": "100%", - "gridPos": { - "h": 21, - "w": 24, - "x": 0, - "y": 6 - }, - "hideTimeOverride": false, - "id": 73, - "links": [], - "pageSize": null, - "repeat": null, - "repeatDirection": "v", - "scroll": true, - "showHeader": true, - "sort": { - "col": 4, - "desc": true - }, - "styles": [ - { - "alias": "Workload", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": false, - "linkTargetBlank": false, - "linkTooltip": "Workload dashboard", - "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", - "pattern": "destination_workload", - "preserveFormat": false, - "sanitize": false, - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Time", - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "Requests", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #A", - "thresholds": [], - "type": "number", - "unit": "ops" - }, - { - "alias": "P50 Latency", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #B", - "thresholds": [], - "type": "number", - "unit": "s" - }, - { - "alias": "P90 Latency", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #D", - "thresholds": [], - "type": "number", - "unit": "s" - }, - { - "alias": "P99 Latency", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #E", - "thresholds": [], - "type": "number", - "unit": "s" - }, - { - "alias": "Success Rate", - "colorMode": "cell", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #F", - "thresholds": [ - ".95", - " 1.00" - ], - "type": "number", - "unit": "percentunit" - }, - { - "alias": "Workload", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": true, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", - "pattern": "destination_workload_var", - "thresholds": [], - "type": "number", - "unit": "short" - }, - { - "alias": "Service", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": true, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", - "pattern": "destination_service", - "thresholds": [], - "type": "string", - "unit": "short" - }, - { - "alias": "", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "destination_workload_namespace", - "thresholds": [], - "type": "hidden", - "unit": "short" - } - ], - "targets": [ - { - "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", - "refId": "A" - }, - { - "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", - "refId": "B" - }, - { - "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", - "refId": "D" - }, - { - "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", - "refId": "E" - }, - { - "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", - "refId": "F" - } - ], - "timeFrom": null, - "title": "HTTP/GRPC Workloads", - "transform": "table", - "transparent": false, - "type": "table" - }, - { - "columns": [], - "datasource": "Prometheus", - "fontSize": "100%", - "gridPos": { - "h": 18, - "w": 24, - "x": 0, - "y": 27 - }, - "hideTimeOverride": false, - "id": 109, - "links": [], - "pageSize": null, - "repeatDirection": "v", - "scroll": true, - "showHeader": true, - "sort": { - "col": 2, - "desc": true - }, - "styles": [ - { - "alias": "Workload", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": false, - "linkTargetBlank": false, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", - "pattern": "destination_workload", - "preserveFormat": false, - "sanitize": false, - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "Bytes Sent", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #A", - "thresholds": [ - "" - ], - "type": "number", - "unit": "Bps" - }, - { - "alias": "Bytes Received", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #C", - "thresholds": [], - "type": "number", - "unit": "Bps" - }, - { - "alias": "", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Time", - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "Workload", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": true, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", - "pattern": "destination_workload_var", - "thresholds": [], - "type": "string", - "unit": "short" - }, - { - "alias": "", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "destination_workload_namespace", - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "Service", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": true, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", - "pattern": "destination_service", - "thresholds": [], - "type": "number", - "unit": "short" - } - ], - "targets": [ - { - "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}", - "refId": "C" - }, - { - "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}", - "refId": "A" - } - ], - "timeFrom": null, - "title": "TCP Workloads", - "transform": "table", - "transparent": false, - "type": "table" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 9, - "w": 24, - "x": 0, - "y": 45 - }, - "id": 111, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build) by (component, tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ component }}: {{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Istio Components by Version", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "transparent": false, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "browser", - "title": "Istio Mesh Dashboard", - "version": 4 -} diff --git a/manager/manifests/istio/charts/grafana/dashboards/istio-performance-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/istio-performance-dashboard.json deleted file mode 100644 index 20d9446dcf..0000000000 --- a/manager/manifests/istio/charts/grafana/dashboards/istio-performance-dashboard.json +++ /dev/null @@ -1,1822 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "id": 9, - "links": [], - "panels": [ - { - "collapsed": true, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 21, - "panels": [ - { - "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.\n\n\n", - "gridPos": { - "h": 6, - "w": 24, - "x": 0, - "y": 1 - }, - "id": 19, - "links": [], - "mode": "markdown", - "timeFrom": null, - "timeShift": null, - "title": "Performance Dashboard README", - "transparent": true, - "type": "text" - } - ], - "title": "Performance Dashboard Notes", - "type": "row" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 1 - }, - "id": 6, - "panels": [], - "title": "vCPU Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 2 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "istio-telemetry", - "refId": "A" - }, - { - "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "istio-ingressgateway", - "refId": "B" - }, - { - "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-proxy", - "refId": "C" - }, - { - "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-policy", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU / 1k rps", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 2 - }, - "id": 7, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-telemetry", - "refId": "A" - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-ingressgateway", - "refId": "B" - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-proxy", - "refId": "C" - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-policy", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 10 - }, - "id": 13, - "panels": [], - "title": "Memory and Data Rates", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 11 - }, - "id": 902, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-telemetry / 1k rps", - "refId": "A" - }, - { - "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "per istio-ingressgateway", - "refId": "B" - }, - { - "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "per istio proxy", - "refId": "C" - }, - { - "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-policy / 1k rps", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory Usage", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 11 - }, - "id": 11, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-telemetry", - "refId": "A" - }, - { - "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-ingressgateway", - "refId": "B" - }, - { - "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-proxy", - "refId": "C" - }, - { - "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio_policy", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Bytes transferred / sec", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 19 - }, - "id": 17, - "panels": [], - "title": "Istio Component Versions", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 24, - "x": 0, - "y": 20 - }, - "id": 15, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build) by (component, tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ component }}: {{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Istio Components by Version", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 31 - }, - "id": 71, - "panels": [], - "title": "Proxy Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 32 - }, - "id": 72, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(container_memory_usage_bytes{container_name=\"istio-proxy\"})", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 32 - }, - "id": 73, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=\"istio-proxy\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 32 - }, - "id": 702, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(container_fs_usage_bytes{container_name=\"istio-proxy\"})", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 39 - }, - "id": 69, - "panels": [], - "title": "Pilot Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 40 - }, - "id": 5, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=\"pilot\"}", - "format": "time_series", - "instant": false, - "intervalFactor": 2, - "legendFormat": "Virtual Memory", - "refId": "I", - "step": 2 - }, - { - "expr": "process_resident_memory_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory", - "refId": "H", - "step": 2 - }, - { - "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap sys", - "refId": "A" - }, - { - "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap alloc", - "refId": "D" - }, - { - "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc", - "refId": "F", - "step": 2 - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Heap in-use", - "refId": "E", - "step": 2 - }, - { - "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use", - "refId": "G", - "step": 2 - }, - { - "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "C", - "step": 2 - }, - { - "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 40 - }, - "id": 602, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - }, - { - "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "pilot (self-reported)", - "refId": "C", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 40 - }, - "id": 74, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_open_fds{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "instant": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "Open FDs (pilot)", - "refId": "A" - }, - { - "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 40 - }, - "id": 402, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Number of Goroutines", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 47 - }, - "id": 93, - "panels": [], - "title": "Mixer Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 48 - }, - "id": 94, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "instant": false, - "intervalFactor": 2, - "legendFormat": "Virtual Memory", - "refId": "I", - "step": 2 - }, - { - "expr": "process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory", - "refId": "H", - "step": 2 - }, - { - "expr": "go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap sys", - "refId": "A" - }, - { - "expr": "go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap alloc", - "refId": "D" - }, - { - "expr": "go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc", - "refId": "F", - "step": 2 - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Heap in-use", - "refId": "E", - "step": 2 - }, - { - "expr": "go_memstats_stack_inuse_bytes{job=~\"istio-policy|istio-telemetry\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use", - "refId": "G", - "step": 2 - }, - { - "expr": "sum(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"})", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "C", - "step": 2 - }, - { - "expr": "container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 48 - }, - "id": 95, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m])) by (container_name)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - }, - { - "expr": "irate(process_cpu_seconds_total{job=~\"istio-policy|istio-telemetry\"}[1m])", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "mixer (self-reported)", - "refId": "C", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 48 - }, - "id": 96, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_open_fds{job=~\"istio-policy|istio-telemetry\"}", - "format": "time_series", - "hide": true, - "instant": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "Open FDs (pilot)", - "refId": "A" - }, - { - "expr": "container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 48 - }, - "id": 97, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"istio-telemetry\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Number of Goroutines", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "10s", - "schemaVersion": 18, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Performance Dashboard", - "uid": "vu8e0VWZk", - "version": 22 -} diff --git a/manager/manifests/istio/charts/grafana/dashboards/istio-service-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/istio-service-dashboard.json deleted file mode 100644 index 871dc3d814..0000000000 --- a/manager/manifests/istio/charts/grafana/dashboards/istio-service-dashboard.json +++ /dev/null @@ -1,2601 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "iteration": 1536442501501, - "links": [], - "panels": [ - { - "content": "
\nSERVICE: $service\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 89, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 0, - "y": 3 - }, - "id": 12, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Client Request Volume", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(237, 129, 40, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "decimals": null, - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 80, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": false - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 6, - "y": 3 - }, - "id": 14, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "B" - } - ], - "thresholds": "95, 99, 99.5", - "title": "Client Success Rate (non-5xx responses)", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 4, - "w": 6, - "x": 12, - "y": 3 - }, - "id": 87, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": false, - "hideZero": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "interval": "", - "intervalFactor": 1, - "legendFormat": "P50", - "refId": "A" - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P90", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P99", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Client Request Duration", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "Bps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 3 - }, - "id": 84, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "TCP Received Bytes", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 0, - "y": 7 - }, - "id": 97, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Server Request Volume", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(237, 129, 40, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "decimals": null, - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 80, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": false - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 6, - "y": 7 - }, - "id": 98, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "B" - } - ], - "thresholds": "95, 99, 99.5", - "title": "Server Success Rate (non-5xx responses)", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 4, - "w": 6, - "x": 12, - "y": 7 - }, - "id": 99, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": false, - "hideZero": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "interval": "", - "intervalFactor": 1, - "legendFormat": "P50", - "refId": "A" - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P90", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P99", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Server Request Duration", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "Bps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 7 - }, - "id": 100, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "TCP Sent Bytes", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "content": "
\nCLIENT WORKLOADS\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 11 - }, - "id": 45, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 14 - }, - "id": 25, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Requests by Source And Response Code", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 14 - }, - "id": 26, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Success Rate (non-5xx responses) By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1.01", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 20 - }, - "id": 27, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Duration by Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 20 - }, - "id": 28, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 20 - }, - "id": 68, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 26 - }, - "id": 80, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Received from Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 26 - }, - "id": 82, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Sent to Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "
\nSERVICE WORKLOADS\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 32 - }, - "id": 69, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 35 - }, - "id": 90, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Requests by Destination And Response Code", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 35 - }, - "id": 91, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Success Rate (non-5xx responses) By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1.01", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 41 - }, - "id": 94, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Duration by Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 41 - }, - "id": 95, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 41 - }, - "id": 96, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 47 - }, - "id": 92, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Received from Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 47 - }, - "id": 93, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Sent to Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "10s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [ - { - "allValue": null, - "datasource": "Prometheus", - "hide": 0, - "includeAll": false, - "label": "Service", - "multi": false, - "name": "service", - "options": [], - "query": "label_values(destination_service)", - "refresh": 1, - "regex": "", - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Client Workload Namespace", - "multi": true, - "name": "srcns", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", - "refresh": 1, - "regex": "/.*namespace=\"([^\"]*).*/", - "sort": 2, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Client Workload", - "multi": true, - "name": "srcwl", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", - "refresh": 1, - "regex": "/.*workload=\"([^\"]*).*/", - "sort": 3, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Service Workload Namespace", - "multi": true, - "name": "dstns", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", - "refresh": 1, - "regex": "/.*namespace=\"([^\"]*).*/", - "sort": 2, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Service Workload", - "multi": true, - "name": "dstwl", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", - "refresh": 1, - "regex": "/.*workload=\"([^\"]*).*/", - "sort": 3, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Service Dashboard", - "uid": "LJ_uJAvmk", - "version": 1 -} diff --git a/manager/manifests/istio/charts/grafana/dashboards/istio-workload-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/istio-workload-dashboard.json deleted file mode 100644 index d0953c078d..0000000000 --- a/manager/manifests/istio/charts/grafana/dashboards/istio-workload-dashboard.json +++ /dev/null @@ -1,2303 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "5.0.4" - }, - { - "type": "panel", - "id": "graph", - "name": "Graph", - "version": "5.0.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "singlestat", - "name": "Singlestat", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "text", - "name": "Text", - "version": "5.0.0" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "id": null, - "iteration": 1531345461465, - "links": [], - "panels": [ - { - "content": "
\nWORKLOAD: $workload.$namespace\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 89, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 8, - "x": 0, - "y": 3 - }, - "id": 12, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Incoming Request Volume", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(237, 129, 40, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "decimals": null, - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 80, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": false - }, - "gridPos": { - "h": 4, - "w": 8, - "x": 8, - "y": 3 - }, - "id": 14, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "B" - } - ], - "thresholds": "95, 99, 99.5", - "title": "Incoming Success Rate (non-5xx responses)", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 4, - "w": 8, - "x": 16, - "y": 3 - }, - "id": 87, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": false, - "hideZero": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", - "format": "time_series", - "interval": "", - "intervalFactor": 1, - "legendFormat": "P50", - "refId": "A" - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P90", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P99", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Request Duration", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "Bps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 12, - "x": 0, - "y": 7 - }, - "id": 84, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "TCP Server Traffic", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "Bps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 12, - "x": 12, - "y": 7 - }, - "id": 85, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "TCP Client Traffic", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "content": "
\nINBOUND WORKLOADS\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 11 - }, - "id": 45, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 14 - }, - "id": 25, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Requests by Source And Response Code", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 14 - }, - "id": 26, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Success Rate (non-5xx responses) By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1.01", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 20 - }, - "id": 27, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Duration by Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 20 - }, - "id": 28, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 20 - }, - "id": 68, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 26 - }, - "id": 80, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Received from Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 26 - }, - "id": 82, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Sent to Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ] - }, - { - "content": "
\nOUTBOUND SERVICES\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 32 - }, - "id": 69, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 35 - }, - "id": 70, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} : {{ response_code }}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Outgoing Requests by Destination And Response Code", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 35 - }, - "id": 71, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{destination_service }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Outgoing Success Rate (non-5xx responses) By Destination", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1.01", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 41 - }, - "id": 72, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Outgoing Request Duration by Destination", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 41 - }, - "id": 73, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Outgoing Request Size By Destination", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 41 - }, - "id": 74, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Size By Destination", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 47 - }, - "id": 76, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Sent on Outgoing TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 47 - }, - "id": 78, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Received from Outgoing TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ] - } - ], - "refresh": "10s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [ - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": false, - "label": "Namespace", - "multi": false, - "name": "namespace", - "options": [], - "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", - "refresh": 1, - "regex": "/.*_namespace=\"([^\"]*).*/", - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": false, - "label": "Workload", - "multi": false, - "name": "workload", - "options": [], - "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", - "refresh": 1, - "regex": "/.*workload=\"([^\"]*).*/", - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Inbound Workload Namespace", - "multi": true, - "name": "srcns", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", - "refresh": 1, - "regex": "/.*namespace=\"([^\"]*).*/", - "sort": 2, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Inbound Workload", - "multi": true, - "name": "srcwl", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", - "refresh": 1, - "regex": "/.*workload=\"([^\"]*).*/", - "sort": 3, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Destination Service", - "multi": true, - "name": "dstsvc", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", - "refresh": 1, - "regex": "/.*destination_service=\"([^\"]*).*/", - "sort": 4, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Workload Dashboard", - "uid": "UbsSZTDik", - "version": 1 -} diff --git a/manager/manifests/istio/charts/grafana/dashboards/mixer-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/mixer-dashboard.json deleted file mode 100644 index 8ca438c497..0000000000 --- a/manager/manifests/istio/charts/grafana/dashboards/mixer-dashboard.json +++ /dev/null @@ -1,1808 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "5.2.3" - }, - { - "type": "panel", - "id": "graph", - "name": "Graph", - "version": "5.0.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "text", - "name": "Text", - "version": "5.0.0" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "limit": 100, - "name": "Annotations & Alerts", - "showIn": 0, - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 1, - "id": null, - "iteration": 1543881232533, - "links": [], - "panels": [ - { - "content": "

Deployed Versions

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 0 - }, - "height": "40", - "id": 62, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 5, - "w": 24, - "x": 0, - "y": 3 - }, - "id": 64, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build{component=\"mixer\"}) by (tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Mixer Versions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "

Resource Usage

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 8 - }, - "height": "40", - "id": 29, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 11 - }, - "id": 5, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "instant": false, - "intervalFactor": 2, - "legendFormat": "Virtual Memory ({{ job }})", - "refId": "I" - }, - { - "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory ({{ job }})", - "refId": "H" - }, - { - "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap sys ({{ job }})", - "refId": "A" - }, - { - "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap alloc ({{ job }})", - "refId": "D" - }, - { - "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc ({{ job }})", - "refId": "F" - }, - { - "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Heap in-use ({{ job }})", - "refId": "E" - }, - { - "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use ({{ job }})", - "refId": "G" - }, - { - "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ service }} total (k8s)", - "refId": "C" - }, - { - "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ service }} - {{ container_name }} (k8s)", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 11 - }, - "id": 6, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ service }} total (k8s)", - "refId": "A" - }, - { - "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ service }} - {{ container_name }} (k8s)", - "refId": "B" - }, - { - "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ job }} (self-reported)", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "CPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 11 - }, - "id": 7, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "hide": true, - "instant": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "Open FDs ({{ job }})", - "refId": "A" - }, - { - "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ service }} - {{ container_name }}", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 11 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Number of Goroutines ({{ job }})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "

Mixer Overview

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 18 - }, - "height": "40px", - "id": 30, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 6, - "x": 0, - "y": 21 - }, - "id": 9, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "mixer (Total)", - "refId": "B" - }, - { - "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "mixer ({{ grpc_server_method }})", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Requests", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 6, - "x": 6, - "y": 21 - }, - "id": 8, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "{}", - "yaxis": 1 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ grpc_server_method }} 0.5", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ grpc_server_method }} 0.9", - "refId": "C" - }, - { - "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ grpc_server_method }} 0.99", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Durations", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ms", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 6, - "x": 12, - "y": 21 - }, - "id": 11, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Mixer {{ grpc_method }}", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Server Error Rate (5xx responses)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 6, - "x": 18, - "y": 21 - }, - "id": 12, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Mixer {{ grpc_method }}", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Non-successes (4xxs)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "

Adapters and Config

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 27 - }, - "id": 28, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 30 - }, - "id": 13, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ adapter }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Adapter Dispatch Count", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 30 - }, - "id": 14, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ adapter }} - p50", - "refId": "A" - }, - { - "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ adapter }} - p90 ", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ adapter }} - p99", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Adapter Dispatch Duration", - "tooltip": { - "shared": true, - "sort": 1, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 37 - }, - "id": 60, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Rules", - "refId": "A" - }, - { - "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Config Errors", - "refId": "B" - }, - { - "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Match Errors", - "refId": "C" - }, - { - "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Unsatisfied Actions", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Rules", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 37 - }, - "id": 56, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Instances", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Instances in Latest Config", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 37 - }, - "id": 54, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Handlers", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Handlers in Latest Config", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 37 - }, - "id": 58, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", - "format": "time_series", - "instant": false, - "intervalFactor": 1, - "legendFormat": "Attributes", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Attributes in Latest Config", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "

Individual Adapters

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 44 - }, - "id": 23, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 47 - }, - "id": 46, - "panels": [], - "repeat": "adapter", - "title": "$adapter Adapter", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 48 - }, - "id": 17, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ handler }} (error: {{ error }})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Dispatch Count By Handler", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 48 - }, - "id": 18, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", - "refId": "A" - }, - { - "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", - "refId": "D" - }, - { - "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", - "refId": "E" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Dispatch Duration By Handler", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [ - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Adapter", - "multi": true, - "name": "adapter", - "options": [], - "query": "label_values(adapter)", - "refresh": 2, - "regex": "", - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Mixer Dashboard", - "version": 4 -} diff --git a/manager/manifests/istio/charts/grafana/dashboards/pilot-dashboard.json b/manager/manifests/istio/charts/grafana/dashboards/pilot-dashboard.json deleted file mode 100644 index cca5509b3a..0000000000 --- a/manager/manifests/istio/charts/grafana/dashboards/pilot-dashboard.json +++ /dev/null @@ -1,1788 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 1, - "id": 6, - "links": [], - "panels": [ - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 60, - "panels": [], - "title": "Deployed Versions", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 5, - "w": 24, - "x": 0, - "y": 1 - }, - "id": 56, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build{component=\"pilot\"}) by (tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Pilot Versions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 6 - }, - "id": 62, - "panels": [], - "title": "Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 7 - }, - "id": 5, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=\"pilot\"}", - "format": "time_series", - "instant": false, - "intervalFactor": 2, - "legendFormat": "Virtual Memory", - "refId": "I", - "step": 2 - }, - { - "expr": "process_resident_memory_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory", - "refId": "H", - "step": 2 - }, - { - "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap sys", - "refId": "A" - }, - { - "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap alloc", - "refId": "D" - }, - { - "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc", - "refId": "F", - "step": 2 - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Heap in-use", - "refId": "E", - "step": 2 - }, - { - "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use", - "refId": "G", - "step": 2 - }, - { - "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "C", - "step": 2 - }, - { - "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 7 - }, - "id": 6, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - }, - { - "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "pilot (self-reported)", - "refId": "C", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 7 - }, - "id": 7, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_open_fds{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "instant": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "Open FDs (pilot)", - "refId": "A" - }, - { - "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 7 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Number of Goroutines", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 14 - }, - "id": 58, - "panels": [], - "title": "Pilot Push Information", - "type": "row" - }, - { - "aliasColors": {}, - "bars": true, - "dashLength": 10, - "dashes": false, - "description": "Shows pilot pushes", - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 15 - }, - "id": 622, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": false, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "paceLength": 10, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(pilot_xds_pushes{type!~\".*_senderr\"}[1m])) by (type)", - "format": "time_series", - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{ type }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Pilot Pushes", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "Captures a variety of pilot errors", - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 15 - }, - "id": 67, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", - "refId": "C" - }, - { - "expr": "pilot_xds_eds_reject{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Rejected EDS Configs", - "refId": "D" - }, - { - "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Write Timeouts", - "refId": "F" - }, - { - "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Push Timeouts", - "refId": "G" - }, - { - "expr": "sum(rate(pilot_xds_push_errors{job=\"pilot\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Push Errors ({{ type }})", - "refId": "I" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Pilot Errors", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 23 - }, - "id": 64, - "panels": [], - "title": "xDS", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 24 - }, - "id": 40, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "XDS GRPC Successes", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Updates", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 24 - }, - "id": 42, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "XDS GRPC ", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Failures", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 24 - }, - "id": 41, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Pilot (XDS GRPC)", - "refId": "C", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Active Connections", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 0, - "y": 30 - }, - "id": 45, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Inbound Listeners", - "refId": "B" - }, - { - "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Outbound Listeners (http over current tcp)", - "refId": "A" - }, - { - "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Outbound Listeners (tcp over current tcp)", - "refId": "C" - }, - { - "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Outbound Listeners (tcp over current http)", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Conflicts", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 8, - "y": 30 - }, - "id": 47, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pilot_virt_services{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Virtual Services", - "refId": "A" - }, - { - "expr": "pilot_services{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Services", - "refId": "B" - }, - { - "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", - "format": "time_series", - "hide": true, - "intervalFactor": 1, - "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", - "refId": "C" - }, - { - "expr": "pilot_xds_eds_reject{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 1, - "legendFormat": "Rejected EDS Configs", - "refId": "D" - }, - { - "expr": "pilot_xds{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Connected Endpoints", - "refId": "E" - }, - { - "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Write Timeouts", - "refId": "F" - }, - { - "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Push Timeouts", - "refId": "G" - }, - { - "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Pushes ({{ type }})", - "refId": "H" - }, - { - "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Push Errors ({{ type }})", - "refId": "I" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "ADS Monitoring", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 16, - "y": 30 - }, - "id": 49, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ node }} ({{ err }})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Rejected CDS Configs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 38 - }, - "id": 52, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ node }} ({{err}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Rejected EDS Configs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 8, - "x": 8, - "y": 38 - }, - "id": 54, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ node }} ({{err}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Rejected LDS Configs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 8, - "x": 16, - "y": 38 - }, - "id": 53, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ node }} ({{err}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Rejected RDS Configs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": { - "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" - }, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 45 - }, - "id": 51, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", - "yaxis": 1 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ cluster }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "EDS Instances", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 18, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "browser", - "title": "Istio Pilot Dashboard", - "uid": "3--MLVZZk", - "version": 1 -} diff --git a/manager/manifests/istio/charts/grafana/templates/_helpers.tpl b/manager/manifests/istio/charts/grafana/templates/_helpers.tpl deleted file mode 100644 index 9d4c59205c..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "grafana.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "grafana.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "grafana.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/grafana/templates/configmap-custom-resources.yaml b/manager/manifests/istio/charts/grafana/templates/configmap-custom-resources.yaml deleted file mode 100644 index b89bc07654..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/configmap-custom-resources.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-custom-resources - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: grafana -data: - custom-resources.yaml: |- - {{- include "grafana-default.yaml.tpl" . | indent 4}} - run.sh: |- - {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/manager/manifests/istio/charts/grafana/templates/configmap-dashboards.yaml b/manager/manifests/istio/charts/grafana/templates/configmap-dashboards.yaml deleted file mode 100644 index dd1ab0d75a..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/configmap-dashboards.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- $files := .Files }} -{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} -{{- $filename := trimSuffix (ext $path) (base $path) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-{{ $filename }} - namespace: {{ $.Release.Namespace }} - labels: - app: {{ template "grafana.name" $ }} - chart: {{ template "grafana.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - istio: grafana -data: - {{ base $path }}: '{{ $files.Get $path }}' ---- -{{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/configmap.yaml b/manager/manifests/istio/charts/grafana/templates/configmap.yaml deleted file mode 100644 index c86efe1f4c..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/configmap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: grafana -data: -{{- if .Values.datasources }} - {{- range $key, $value := .Values.datasources }} - {{ $key }}: | -{{ toYaml $value | indent 4 }} - {{- end -}} -{{- end -}} - -{{- if .Values.dashboardProviders }} - {{- range $key, $value := .Values.dashboardProviders }} - {{ $key }}: | -{{ toYaml $value | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/grafana/templates/create-custom-resources-job.yaml b/manager/manifests/istio/charts/grafana/templates/create-custom-resources-job.yaml deleted file mode 100644 index 8f179d5cc5..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/create-custom-resources-job.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-grafana-post-install-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-grafana-post-install-{{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["authentication.istio.io"] # needed to create default authn policy - resources: ["*"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-grafana-post-install-role-binding-{{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-grafana-post-install-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-grafana-post-install-account - namespace: {{ .Release.Namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: istio-grafana-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - template: - metadata: - name: istio-grafana-post-install - labels: - app: istio-grafana - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - serviceAccountName: istio-grafana-post-install-account - containers: - - name: kubectl - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] - volumeMounts: - - mountPath: "/tmp/grafana" - name: tmp-configmap-grafana - volumes: - - name: tmp-configmap-grafana - configMap: - name: istio-grafana-custom-resources - restartPolicy: OnFailure - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/deployment.yaml b/manager/manifests/istio/charts/grafana/templates/deployment.yaml deleted file mode 100644 index b5cf7fc419..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/deployment.yaml +++ /dev/null @@ -1,127 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grafana - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: grafana - template: - metadata: - labels: - app: grafana - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - prometheus.io/scrape: "true" - spec: - securityContext: - runAsUser: 472 - fsGroup: 472 -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- if .Values.global.imagePullSecrets }} - imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 3000 - readinessProbe: - httpGet: - path: /login - port: 3000 - env: - - name: GRAFANA_PORT - value: "3000" -{{- if .Values.security.enabled }} - - name: GF_SECURITY_ADMIN_USER - valueFrom: - secretKeyRef: - name: {{ .Values.security.secretName }} - key: {{ .Values.security.usernameKey }} - - name: GF_SECURITY_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.security.secretName }} - key: {{ .Values.security.passphraseKey }} - - name: GF_AUTH_BASIC_ENABLED - value: "true" - - name: GF_AUTH_ANONYMOUS_ENABLED - value: "false" - - name: GF_AUTH_DISABLE_LOGIN_FORM - value: "false" -{{- else }} - - name: GF_AUTH_BASIC_ENABLED - value: "false" - - name: GF_AUTH_ANONYMOUS_ENABLED - value: "true" - - name: GF_AUTH_ANONYMOUS_ORG_ROLE - value: Admin -{{- end }} - - name: GF_PATHS_DATA - value: /data/grafana - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - volumeMounts: - - name: data - mountPath: /data/grafana - {{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} - {{- $filename := trimSuffix (ext $path) (base $path) }} - - name: dashboards-istio-{{ $filename }} - mountPath: "/var/lib/grafana/dashboards/istio/{{ base $path }}" - subPath: {{ base $path }} - readOnly: true - {{- end }} - - name: config - mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" - subPath: datasources.yaml - - name: config - mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" - subPath: dashboardproviders.yaml - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} - volumes: - - name: config - configMap: - name: istio-grafana - - name: data -{{- if .Values.persist }} - persistentVolumeClaim: - claimName: istio-grafana-pvc -{{- else }} - emptyDir: {} -{{- end }} -{{- range $path, $bytes := .Files.Glob "dashboards/*.json" }} -{{- $filename := trimSuffix (ext $path) (base $path) }} - - name: dashboards-istio-{{ $filename }} - configMap: - name: istio-grafana-configuration-dashboards-{{ $filename }} -{{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/grafana-ports-mtls.yaml b/manager/manifests/istio/charts/grafana/templates/grafana-ports-mtls.yaml deleted file mode 100644 index b9a3926518..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/grafana-ports-mtls.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{ define "grafana-default.yaml.tpl" }} -apiVersion: authentication.istio.io/v1alpha1 -kind: Policy -metadata: - name: grafana-ports-mtls-disabled - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - targets: - - name: grafana - ports: - - number: {{ .Values.service.externalPort }} -{{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/ingress.yaml b/manager/manifests/istio/charts/grafana/templates/ingress.yaml deleted file mode 100644 index 0ebe71f61d..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/ingress.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: grafana - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: -{{- if .Values.ingress.hosts }} - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} - backend: - serviceName: grafana - servicePort: 3000 - {{- end -}} -{{- else }} - - http: - paths: - - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} - backend: - serviceName: grafana - servicePort: 3000 -{{- end }} - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/grafana/templates/pvc.yaml b/manager/manifests/istio/charts/grafana/templates/pvc.yaml deleted file mode 100644 index e376a13a52..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/pvc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.persist }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: istio-grafana-pvc - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - storageClassName: {{ .Values.storageClassName }} - accessModes: - - {{ .Values.accessMode }} - resources: - requests: - storage: 5Gi -{{- end }} diff --git a/manager/manifests/istio/charts/grafana/templates/service.yaml b/manager/manifests/istio/charts/grafana/templates/service.yaml deleted file mode 100644 index b206679c3e..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/service.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: grafana - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: 3000 - protocol: TCP - name: {{ .Values.service.name }} - selector: - app: grafana -{{- if .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" -{{- end }} - {{if .Values.service.loadBalancerSourceRanges}} - loadBalancerSourceRanges: - {{range $rangeList := .Values.service.loadBalancerSourceRanges}} - - {{ $rangeList }} - {{end}} - {{end}} diff --git a/manager/manifests/istio/charts/grafana/templates/tests/test-grafana-connection.yaml b/manager/manifests/istio/charts/grafana/templates/tests/test-grafana-connection.yaml deleted file mode 100644 index 29a913a030..0000000000 --- a/manager/manifests/istio/charts/grafana/templates/tests/test-grafana-connection.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.global.enableHelmTest }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ template "grafana.fullname" . }}-test - namespace: {{ .Release.Namespace }} - labels: - app: grafana-test - chart: {{ template "grafana.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: grafana - annotations: - sidecar.istio.io/inject: "false" - helm.sh/hook: test-success -spec: -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: "{{ template "grafana.fullname" . }}-test" - image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - command: ['curl'] - args: ['http://grafana:{{ .Values.grafana.service.externalPort }}'] - restartPolicy: Never - affinity: - {{- include "nodeaffinity" . | indent 4 }} - {{- include "podAntiAffinity" . | indent 4 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 2 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 2 }} - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/grafana/values.yaml b/manager/manifests/istio/charts/grafana/values.yaml deleted file mode 100644 index 454bb44950..0000000000 --- a/manager/manifests/istio/charts/grafana/values.yaml +++ /dev/null @@ -1,87 +0,0 @@ -# -# addon grafana configuration -# -enabled: false -replicaCount: 1 -image: - repository: grafana/grafana - tag: 6.1.6 -ingress: - enabled: false - ## Used to create an Ingress record. - hosts: - - grafana.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: grafana-tls - # hosts: - # - grafana.local -persist: false -storageClassName: "" -accessMode: ReadWriteMany -security: - enabled: false - secretName: grafana - usernameKey: username - passphraseKey: passphrase -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] - -contextPath: /grafana -service: - annotations: {} - name: http - type: ClusterIP - externalPort: 3000 - loadBalancerIP: - loadBalancerSourceRanges: - -datasources: - datasources.yaml: - apiVersion: 1 - datasources: - - name: Prometheus - type: prometheus - orgId: 1 - url: http://prometheus:9090 - access: proxy - isDefault: true - jsonData: - timeInterval: 5s - editable: true - -dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: 'istio' - orgId: 1 - folder: 'istio' - type: file - disableDeletion: false - options: - path: /var/lib/grafana/dashboards/istio diff --git a/manager/manifests/istio/charts/istiocoredns/Chart.yaml b/manager/manifests/istio/charts/istiocoredns/Chart.yaml deleted file mode 100644 index a1b9392e14..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -description: Istio CoreDNS provides DNS resolution for services in multicluster setups. -name: istiocoredns -version: 1.2.2 -appVersion: 0.1 -tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/istiocoredns/templates/_helpers.tpl b/manager/manifests/istio/charts/istiocoredns/templates/_helpers.tpl deleted file mode 100644 index e7add11bb3..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "istiocoredns.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "istiocoredns.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "istiocoredns.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/istiocoredns/templates/clusterrole.yaml b/manager/manifests/istio/charts/istiocoredns/templates/clusterrole.yaml deleted file mode 100644 index 4242a327ff..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/templates/clusterrole.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiocoredns - labels: - app: {{ template "istiocoredns.name" . }} - chart: {{ template "istiocoredns.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["networking.istio.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] diff --git a/manager/manifests/istio/charts/istiocoredns/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/istiocoredns/templates/clusterrolebinding.yaml deleted file mode 100644 index bafd0ca3bc..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-istiocoredns-role-binding-{{ .Release.Namespace }} - labels: - app: {{ template "istiocoredns.name" . }} - chart: {{ template "istiocoredns.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiocoredns -subjects: -- kind: ServiceAccount - name: istiocoredns-service-account - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/istiocoredns/templates/configmap.yaml b/manager/manifests/istio/charts/istiocoredns/templates/configmap.yaml deleted file mode 100644 index 50d166fe5e..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/templates/configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: coredns - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istiocoredns.name" . }} - chart: {{ template "istiocoredns.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - Corefile: | - .:53 { - errors - health - proxy global 127.0.0.1:8053 { - protocol grpc insecure - } - prometheus :9153 - proxy . /etc/resolv.conf - cache 30 - reload - } ---- diff --git a/manager/manifests/istio/charts/istiocoredns/templates/deployment.yaml b/manager/manifests/istio/charts/istiocoredns/templates/deployment.yaml deleted file mode 100644 index 8ecae0e3ad..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/templates/deployment.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiocoredns - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istiocoredns.name" . }} - chart: {{ template "istiocoredns.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: istiocoredns - template: - metadata: - name: istiocoredns - labels: - app: istiocoredns - chart: {{ template "istiocoredns.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istiocoredns-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: coredns - image: {{ .Values.coreDNSImage }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - args: [ "-conf", "/etc/coredns/Corefile" ] - volumeMounts: - - name: config-volume - mountPath: /etc/coredns - ports: - - containerPort: 53 - name: dns - protocol: UDP - - containerPort: 53 - name: dns-tcp - protocol: TCP - - containerPort: 9153 - name: metrics - protocol: TCP - livenessProbe: - httpGet: - path: /health - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - - name: istio-coredns-plugin - command: - - /usr/local/bin/plugin - image: {{ .Values.coreDNSPluginImage }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 8053 - name: dns-grpc - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - dnsPolicy: Default - volumes: - - name: config-volume - configMap: - name: coredns - items: - - key: Corefile - path: Corefile - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/istiocoredns/templates/service.yaml b/manager/manifests/istio/charts/istiocoredns/templates/service.yaml deleted file mode 100644 index a6311017cc..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istiocoredns - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istiocoredns.name" . }} - chart: {{ template "istiocoredns.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - app: istiocoredns - ports: - - name: dns - port: 53 - protocol: UDP - - name: dns-tcp - port: 53 - protocol: TCP diff --git a/manager/manifests/istio/charts/istiocoredns/templates/serviceaccount.yaml b/manager/manifests/istio/charts/istiocoredns/templates/serviceaccount.yaml deleted file mode 100644 index e2627cf45e..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istiocoredns-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istiocoredns.name" . }} - chart: {{ template "istiocoredns.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/istiocoredns/values.yaml b/manager/manifests/istio/charts/istiocoredns/values.yaml deleted file mode 100644 index 0a928c83c2..0000000000 --- a/manager/manifests/istio/charts/istiocoredns/values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# -# addon istiocoredns tracing configuration -# -enabled: false -replicaCount: 1 -coreDNSImage: coredns/coredns:1.1.2 -# Source code for the plugin can be found at -# https://github.com/istio-ecosystem/istio-coredns-plugin -# The plugin listens for DNS requests from coredns server at 127.0.0.1:8053 -coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1 -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/kiali/Chart.yaml b/manager/manifests/istio/charts/kiali/Chart.yaml deleted file mode 100644 index c1240aaf95..0000000000 --- a/manager/manifests/istio/charts/kiali/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -description: Kiali is an open source project for service mesh observability, refer to https://www.kiali.io for details. -name: kiali -version: 1.2.2 -appVersion: 0.20 -tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/kiali/templates/_helpers.tpl b/manager/manifests/istio/charts/kiali/templates/_helpers.tpl deleted file mode 100644 index 6b00957697..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "kiali.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "kiali.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "kiali.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/kiali/templates/clusterrole.yaml b/manager/manifests/istio/charts/kiali/templates/clusterrole.yaml deleted file mode 100644 index 0fd657cc53..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/clusterrole.yaml +++ /dev/null @@ -1,265 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: - - configmaps - - endpoints - - namespaces - - nodes - - pods - - pods/log - - replicationcontrollers - - services - verbs: - - get - - list - - watch -- apiGroups: ["extensions", "apps"] - resources: - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch -- apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch -- apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch -- apiGroups: ["config.istio.io"] - resources: - - adapters - - apikeys - - bypasses - - authorizations - - checknothings - - circonuses - - cloudwatches - - deniers - - dogstatsds - - edges - - fluentds - - handlers - - instances - - kubernetesenvs - - kuberneteses - - listcheckers - - listentries - - logentries - - memquotas - - metrics - - noops - - opas - - prometheuses - - quotas - - quotaspecbindings - - quotaspecs - - rbacs - - redisquotas - - reportnothings - - rules - - signalfxs - - solarwindses - - stackdrivers - - statsds - - stdios - - templates - - tracespans - - zipkins - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: ["networking.istio.io"] - resources: - - destinationrules - - gateways - - serviceentries - - virtualservices - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: ["authentication.istio.io"] - resources: - - meshpolicies - - policies - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: ["rbac.istio.io"] - resources: - - clusterrbacconfigs - - rbacconfigs - - servicerolebindings - - serviceroles - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: ["monitoring.kiali.io"] - resources: - - monitoringdashboards - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali-viewer - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: - - configmaps - - endpoints - - namespaces - - nodes - - pods - - pods/log - - replicationcontrollers - - services - verbs: - - get - - list - - watch -- apiGroups: ["extensions", "apps"] - resources: - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch -- apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch -- apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch -- apiGroups: ["config.istio.io"] - resources: - - adapters - - apikeys - - bypasses - - authorizations - - checknothings - - circonuses - - cloudwatches - - deniers - - dogstatsds - - edges - - fluentds - - handlers - - instances - - kubernetesenvs - - kuberneteses - - listcheckers - - listentries - - logentries - - memquotas - - metrics - - noops - - opas - - prometheuses - - quotas - - quotaspecbindings - - quotaspecs - - rbacs - - redisquotas - - reportnothings - - rules - - signalfxs - - solarwindses - - stackdrivers - - statsds - - stdios - - templates - - tracespans - - zipkins - verbs: - - get - - list - - watch -- apiGroups: ["networking.istio.io"] - resources: - - destinationrules - - gateways - - serviceentries - - virtualservices - verbs: - - get - - list - - watch -- apiGroups: ["authentication.istio.io"] - resources: - - meshpolicies - - policies - verbs: - - get - - list - - watch -- apiGroups: ["rbac.istio.io"] - resources: - - clusterrbacconfigs - - rbacconfigs - - servicerolebindings - - serviceroles - verbs: - - get - - list - - watch -- apiGroups: ["monitoring.kiali.io"] - resources: - - monitoringdashboards - verbs: - - get - - list diff --git a/manager/manifests/istio/charts/kiali/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/kiali/templates/clusterrolebinding.yaml deleted file mode 100644 index cf1652955e..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-kiali-admin-role-binding-{{ .Release.Namespace }} - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kiali{{- if .Values.dashboard.viewOnlyMode }}-viewer{{- end }} -subjects: -- kind: ServiceAccount - name: kiali-service-account - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/kiali/templates/configmap.yaml b/manager/manifests/istio/charts/kiali/templates/configmap.yaml deleted file mode 100644 index a6fa1b3aac..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/configmap.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: kiali - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - config.yaml: | - istio_namespace: {{ .Release.Namespace }} - auth: - strategy: "login" - server: - port: 20001 -{{- if .Values.contextPath }} - web_root: {{ .Values.contextPath }} -{{- end }} - external_services: - tracing: - url: {{ .Values.dashboard.jaegerURL }} - grafana: - url: {{ .Values.dashboard.grafanaURL }} - prometheus: - url: {{ .Values.prometheusAddr }} diff --git a/manager/manifests/istio/charts/kiali/templates/demosecret.yaml b/manager/manifests/istio/charts/kiali/templates/demosecret.yaml deleted file mode 100644 index ad44298c3f..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/demosecret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.createDemoSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.dashboard.secretName }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -type: Opaque -data: - username: YWRtaW4= # admin - passphrase: YWRtaW4= # admin -{{- end }} diff --git a/manager/manifests/istio/charts/kiali/templates/deployment.yaml b/manager/manifests/istio/charts/kiali/templates/deployment.yaml deleted file mode 100644 index 67e81b1263..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/deployment.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kiali - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: kiali - template: - metadata: - name: kiali - labels: - app: kiali - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/scrape: "true" - prometheus.io/port: "9090" - spec: - serviceAccountName: kiali-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - image: "{{ .Values.hub }}/kiali:{{ .Values.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - name: kiali - command: - - "/opt/kiali/kiali" - - "-config" - - "/kiali-configuration/config.yaml" - - "-v" - - "4" - env: - - name: ACTIVE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: kiali-configuration - mountPath: "/kiali-configuration" - - name: kiali-secret - mountPath: "/kiali-secret" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - volumes: - - name: kiali-configuration - configMap: - name: kiali - - name: kiali-secret - secret: - secretName: {{ .Values.dashboard.secretName }} - optional: true - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/kiali/templates/ingress.yaml b/manager/manifests/istio/charts/kiali/templates/ingress.yaml deleted file mode 100644 index 2e2a0de3af..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/ingress.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: kiali - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: -{{- if .Values.ingress.hosts }} - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} - backend: - serviceName: kiali - servicePort: 20001 - {{- end -}} -{{- else }} - - http: - paths: - - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} - backend: - serviceName: kiali - servicePort: 20001 -{{- end }} - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/kiali/templates/service.yaml b/manager/manifests/istio/charts/kiali/templates/service.yaml deleted file mode 100644 index 1aa79bfdbb..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: kiali - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - ports: - - name: http-kiali - protocol: TCP - port: 20001 - selector: - app: kiali diff --git a/manager/manifests/istio/charts/kiali/templates/serviceaccount.yaml b/manager/manifests/istio/charts/kiali/templates/serviceaccount.yaml deleted file mode 100644 index 2ae38a1ab0..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: kiali-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "kiali.name" . }} - chart: {{ template "kiali.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/kiali/templates/tests/test-kiali-connection.yaml b/manager/manifests/istio/charts/kiali/templates/tests/test-kiali-connection.yaml deleted file mode 100644 index 2697a705c3..0000000000 --- a/manager/manifests/istio/charts/kiali/templates/tests/test-kiali-connection.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.global.enableHelmTest }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ template "kiali.fullname" . }}-test - namespace: {{ .Release.Namespace }} - labels: - app: kiali-test - chart: {{ template "kiali.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: kiali - annotations: - sidecar.istio.io/inject: "false" - helm.sh/hook: test-success -spec: -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: "{{ template "kiali.fullname" . }}-test" - image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - command: ['curl'] - args: ['http://kiali:20001'] - restartPolicy: Never - affinity: - {{- include "nodeaffinity" . | indent 4 }} - {{- include "podAntiAffinity" . | indent 4 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 2 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 2 }} - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/kiali/values.yaml b/manager/manifests/istio/charts/kiali/values.yaml deleted file mode 100644 index 0bc05e8a01..0000000000 --- a/manager/manifests/istio/charts/kiali/values.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# -# addon kiali -# -enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`. -replicaCount: 1 -hub: quay.io/kiali -tag: v0.20 -contextPath: /kiali # The root context path to access the Kiali UI. -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] - -ingress: - enabled: false - ## Used to create an Ingress record. - hosts: - - kiali.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: kiali-tls - # hosts: - # - kiali.local - -dashboard: - secretName: kiali # You must create a secret with this name - one is not provided out-of-box. - viewOnlyMode: false # Bind the service account to a role with only read access - grafanaURL: # If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown. - jaegerURL: # If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown. -prometheusAddr: http://prometheus:9090 - -# When true, a secret will be created with a default username and password. Useful for demos. -createDemoSecret: false diff --git a/manager/manifests/istio/charts/mixer/Chart.yaml b/manager/manifests/istio/charts/mixer/Chart.yaml deleted file mode 100644 index 1f297ad36c..0000000000 --- a/manager/manifests/istio/charts/mixer/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: mixer -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2" -description: Helm chart for mixer deployment -keywords: - - istio - - mixer -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/mixer/templates/_helpers.tpl b/manager/manifests/istio/charts/mixer/templates/_helpers.tpl deleted file mode 100644 index dac6da0366..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "mixer.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "mixer.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "mixer.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/mixer/templates/autoscale.yaml b/manager/manifests/istio/charts/mixer/templates/autoscale.yaml deleted file mode 100644 index 377b47d033..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/autoscale.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if or (eq $key "policy") (eq $key "telemetry") }} -{{- if and $spec.enabled $spec.autoscaleEnabled $spec.autoscaleMin $spec.autoscaleMax }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istio-{{ $key }} - namespace: {{ $.Release.Namespace }} - labels: - app: {{ template "mixer.name" $ }} - chart: {{ template "mixer.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} -spec: - maxReplicas: {{ $spec.autoscaleMax }} - minReplicas: {{ $spec.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-{{ $key }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/clusterrole.yaml b/manager/manifests/istio/charts/mixer/templates/clusterrole.yaml deleted file mode 100644 index 3d7438f2d3..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/clusterrole.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-mixer-{{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["config.istio.io"] # istio CRD watcher - resources: ["*"] - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] -{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/mixer/templates/clusterrolebinding.yaml deleted file mode 100644 index 773e68b343..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-mixer-admin-role-binding-{{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-mixer-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-mixer-service-account - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/config.yaml b/manager/manifests/istio/charts/mixer/templates/config.yaml deleted file mode 100644 index eb6d3a3ca4..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/config.yaml +++ /dev/null @@ -1,1086 +0,0 @@ -{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} -apiVersion: "config.istio.io/v1alpha2" -kind: attributemanifest -metadata: - name: istioproxy - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - attributes: - origin.ip: - valueType: IP_ADDRESS - origin.uid: - valueType: STRING - origin.user: - valueType: STRING - request.headers: - valueType: STRING_MAP - request.id: - valueType: STRING - request.host: - valueType: STRING - request.method: - valueType: STRING - request.path: - valueType: STRING - request.url_path: - valueType: STRING - request.query_params: - valueType: STRING_MAP - request.reason: - valueType: STRING - request.referer: - valueType: STRING - request.scheme: - valueType: STRING - request.total_size: - valueType: INT64 - request.size: - valueType: INT64 - request.time: - valueType: TIMESTAMP - request.useragent: - valueType: STRING - response.code: - valueType: INT64 - response.duration: - valueType: DURATION - response.headers: - valueType: STRING_MAP - response.total_size: - valueType: INT64 - response.size: - valueType: INT64 - response.time: - valueType: TIMESTAMP - response.grpc_status: - valueType: STRING - response.grpc_message: - valueType: STRING - source.uid: - valueType: STRING - source.user: # DEPRECATED - valueType: STRING - source.principal: - valueType: STRING - destination.uid: - valueType: STRING - destination.principal: - valueType: STRING - destination.port: - valueType: INT64 - connection.event: - valueType: STRING - connection.id: - valueType: STRING - connection.received.bytes: - valueType: INT64 - connection.received.bytes_total: - valueType: INT64 - connection.sent.bytes: - valueType: INT64 - connection.sent.bytes_total: - valueType: INT64 - connection.duration: - valueType: DURATION - connection.mtls: - valueType: BOOL - connection.requested_server_name: - valueType: STRING - context.protocol: - valueType: STRING - context.proxy_error_code: - valueType: STRING - context.timestamp: - valueType: TIMESTAMP - context.time: - valueType: TIMESTAMP - # Deprecated, kept for compatibility - context.reporter.local: - valueType: BOOL - context.reporter.kind: - valueType: STRING - context.reporter.uid: - valueType: STRING - api.service: - valueType: STRING - api.version: - valueType: STRING - api.operation: - valueType: STRING - api.protocol: - valueType: STRING - request.auth.principal: - valueType: STRING - request.auth.audiences: - valueType: STRING - request.auth.presenter: - valueType: STRING - request.auth.claims: - valueType: STRING_MAP - request.auth.raw_claims: - valueType: STRING - request.api_key: - valueType: STRING - rbac.permissive.response_code: - valueType: STRING - rbac.permissive.effective_policy_id: - valueType: STRING - check.error_code: - valueType: INT64 - check.error_message: - valueType: STRING - check.cache_hit: - valueType: BOOL - quota.cache_hit: - valueType: BOOL - ---- -apiVersion: "config.istio.io/v1alpha2" -kind: attributemanifest -metadata: - name: kubernetes - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - attributes: - source.ip: - valueType: IP_ADDRESS - source.labels: - valueType: STRING_MAP - source.metadata: - valueType: STRING_MAP - source.name: - valueType: STRING - source.namespace: - valueType: STRING - source.owner: - valueType: STRING - source.serviceAccount: - valueType: STRING - source.services: - valueType: STRING - source.workload.uid: - valueType: STRING - source.workload.name: - valueType: STRING - source.workload.namespace: - valueType: STRING - destination.ip: - valueType: IP_ADDRESS - destination.labels: - valueType: STRING_MAP - destination.metadata: - valueType: STRING_MAP - destination.owner: - valueType: STRING - destination.name: - valueType: STRING - destination.container.name: - valueType: STRING - destination.namespace: - valueType: STRING - destination.service.uid: - valueType: STRING - destination.service.name: - valueType: STRING - destination.service.namespace: - valueType: STRING - destination.service.host: - valueType: STRING - destination.serviceAccount: - valueType: STRING - destination.workload.uid: - valueType: STRING - destination.workload.name: - valueType: STRING - destination.workload.namespace: - valueType: STRING ---- -{{- if and .Values.adapters.stdio.enabled .Values.telemetry.enabled }} -apiVersion: "config.istio.io/v1alpha2" -kind: handler -metadata: - name: stdio - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledAdapter: stdio - params: - outputAsJson: {{ .Values.adapters.stdio.outputAsJson }} ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: accesslog - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: logentry - params: - severity: '"Info"' - timestamp: request.time - variables: - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - apiClaims: request.auth.raw_claims | "" - apiKey: request.api_key | request.headers["x-api-key"] | "" - protocol: request.scheme | context.protocol | "http" - method: request.method | "" - url: request.path | "" - responseCode: response.code | 0 - responseFlags: context.proxy_error_code | "" - responseSize: response.size | 0 - permissiveResponseCode: rbac.permissive.response_code | "none" - permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" - requestSize: request.size | 0 - requestId: request.headers["x-request-id"] | "" - clientTraceId: request.headers["x-client-trace-id"] | "" - latency: response.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - requestedServerName: connection.requested_server_name | "" - userAgent: request.useragent | "" - responseTimestamp: response.time - receivedBytes: request.total_size | 0 - sentBytes: response.total_size | 0 - referer: request.referer | "" - httpAuthority: request.headers[":authority"] | request.host | "" - xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - grpcStatus: response.grpc_status | "" - grpcMessage: response.grpc_message | "" - monitored_resource_type: '"global"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpaccesslog - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: logentry - params: - severity: '"Info"' - timestamp: context.time | timestamp("2017-01-01T00:00:00Z") - variables: - connectionEvent: connection.event | "" - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - protocol: context.protocol | "tcp" - connectionDuration: connection.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - requestedServerName: connection.requested_server_name | "" - receivedBytes: connection.received.bytes | 0 - sentBytes: connection.sent.bytes | 0 - totalReceivedBytes: connection.received.bytes_total | 0 - totalSentBytes: connection.sent.bytes_total | 0 - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - responseFlags: context.proxy_error_code | "" - monitored_resource_type: '"global"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: stdio - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - match: context.protocol == "http" || context.protocol == "grpc" - actions: - - handler: stdio - instances: - - accesslog ---- -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: stdiotcp - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - match: context.protocol == "tcp" - actions: - - handler: stdio - instances: - - tcpaccesslog -{{- end }} ---- -{{- if and .Values.adapters.prometheus.enabled .Values.telemetry.enabled }} -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestcount - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestduration - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: metric - params: - value: response.duration | "0ms" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestsize - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: metric - params: - value: request.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: responsesize - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: metric - params: - value: response.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpbytesent - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: metric - params: - value: connection.sent.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpbytereceived - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: metric - params: - value: connection.received.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpconnectionsopened - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpconnectionsclosed - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- -apiVersion: "config.istio.io/v1alpha2" -kind: handler -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledAdapter: prometheus - params: - metricsExpirationPolicy: - metricsExpiryDuration: "{{ .Values.adapters.prometheus.metricsExpiryDuration }}" - metrics: - - name: requests_total - instance_name: requestcount.instance.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - - name: request_duration_seconds - instance_name: requestduration.instance.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - explicit_buckets: - bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - - name: request_bytes - instance_name: requestsize.instance.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: response_bytes - instance_name: responsesize.instance.{{ .Release.Namespace }} - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: tcp_sent_bytes_total - instance_name: tcpbytesent.instance.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_received_bytes_total - instance_name: tcpbytereceived.instance.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_connections_opened_total - instance_name: tcpconnectionsopened.instance.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_connections_closed_total - instance_name: tcpconnectionsclosed.instance.{{ .Release.Namespace }} - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags ---- -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promhttp - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) - actions: - - handler: prometheus - instances: - - requestcount - - requestduration - - requestsize - - responsesize ---- -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcp - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - match: context.protocol == "tcp" - actions: - - handler: prometheus - instances: - - tcpbytesent - - tcpbytereceived ---- -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcpconnectionopen - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - match: context.protocol == "tcp" && ((connection.event | "na") == "open") - actions: - - handler: prometheus - instances: - - tcpconnectionsopened ---- -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcpconnectionclosed - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - match: context.protocol == "tcp" && ((connection.event | "na") == "close") - actions: - - handler: prometheus - instances: - - tcpconnectionsclosed -{{- end }} ---- -{{- if and .Values.adapters.kubernetesenv.enabled (or .Values.policy.enabled .Values.telemetry.enabled) }} -apiVersion: "config.istio.io/v1alpha2" -kind: handler -metadata: - name: kubernetesenv - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledAdapter: kubernetesenv - params: - # when running from mixer root, use the following config after adding a - # symbolic link to a kubernetes config file via: - # - # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig - # - # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" - ---- -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: kubeattrgenrulerule - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - actions: - - handler: kubernetesenv - instances: - - attributes ---- -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: tcpkubeattrgenrulerule - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - match: context.protocol == "tcp" - actions: - - handler: kubernetesenv - instances: - - attributes ---- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: attributes - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - compiledTemplate: kubernetes - params: - # Pass the required attribute data to the adapter - source_uid: source.uid | "" - source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr - destination_uid: destination.uid | "" - destination_port: destination.port | 0 - attributeBindings: - # Fill the new attributes from the adapter produced output. - # $out refers to an instance of OutputTemplate message - source.ip: $out.source_pod_ip | ip("0.0.0.0") - source.uid: $out.source_pod_uid | "unknown" - source.labels: $out.source_labels | emptyStringMap() - source.name: $out.source_pod_name | "unknown" - source.namespace: $out.source_namespace | "default" - source.owner: $out.source_owner | "unknown" - source.serviceAccount: $out.source_service_account_name | "unknown" - source.workload.uid: $out.source_workload_uid | "unknown" - source.workload.name: $out.source_workload_name | "unknown" - source.workload.namespace: $out.source_workload_namespace | "unknown" - destination.ip: $out.destination_pod_ip | ip("0.0.0.0") - destination.uid: $out.destination_pod_uid | "unknown" - destination.labels: $out.destination_labels | emptyStringMap() - destination.name: $out.destination_pod_name | "unknown" - destination.container.name: $out.destination_container_name | "unknown" - destination.namespace: $out.destination_namespace | "default" - destination.owner: $out.destination_owner | "unknown" - destination.serviceAccount: $out.destination_service_account_name | "unknown" - destination.workload.uid: $out.destination_workload_uid | "unknown" - destination.workload.name: $out.destination_workload_name | "unknown" - destination.workload.namespace: $out.destination_workload_namespace | "unknown" -{{- end }} ---- -{{- if .Values.policy.enabled }} -# Configuration needed by Mixer. -# Mixer cluster is delivered via CDS -# Specify mixer cluster settings -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-policy - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - host: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.defaultConfigVisibilitySettings }} - exportTo: - - '*' - {{- end }} - trafficPolicy: - {{- if .Values.global.controlPlaneSecurityEnabled }} - portLevelSettings: - - port: - number: 15004 - tls: - mode: ISTIO_MUTUAL - {{- end}} - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 -{{- end }} ---- -{{- if .Values.telemetry.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-telemetry - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - host: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.defaultConfigVisibilitySettings }} - exportTo: - - '*' - {{- end }} - trafficPolicy: - {{- if .Values.global.controlPlaneSecurityEnabled }} - portLevelSettings: - - port: - number: 15004 - tls: - mode: ISTIO_MUTUAL - {{- end}} - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 -{{- end }} ---- -{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/deployment.yaml b/manager/manifests/istio/charts/mixer/templates/deployment.yaml deleted file mode 100644 index 79063d1950..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/deployment.yaml +++ /dev/null @@ -1,428 +0,0 @@ -{{- define "policy_container" }} - spec: - serviceAccountName: istio-mixer-service-account -{{- if $.Values.global.priorityClassName }} - priorityClassName: "{{ $.Values.global.priorityClassName }}" -{{- end }} - volumes: - - name: istio-certs - secret: - secretName: istio.istio-mixer-service-account - optional: true - {{- if $.Values.global.sds.enabled }} - - hostPath: - path: /var/run/sds - name: sds-uds-path - {{- if $.Values.global.sds.useTrustworthyJwt }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ $.Values.global.trustDomain }} - expirationSeconds: 43200 - path: istio-token - {{- end }} - {{- end }} - - name: uds-socket - emptyDir: {} - - name: policy-adapter-secret - secret: - secretName: policy-adapter-secret - optional: true - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} - containers: - - name: mixer -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ $.Values.global.imagePullPolicy }} - ports: - - containerPort: {{ .Values.global.monitoringPort }} - - containerPort: 42422 - args: - - --monitoringPort={{ .Values.global.monitoringPort }} - - --address - - unix:///sock/mixer.socket -{{- if $.Values.global.logging.level }} - - --log_output_level={{ $.Values.global.logging.level }} -{{- end}} -{{- if $.Values.global.useMCP }} - {{- if $.Values.global.controlPlaneSecurityEnabled}} - - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901 - {{- else }} - - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901 - {{- end }} -{{- else }} - - --configStoreURL=k8s:// -{{- end }} - - --configDefaultNamespace={{ $.Release.Namespace }} - {{- if $.Values.adapters.useAdapterCRDs }} - - --useAdapterCRDs=true - {{- else }} - - --useAdapterCRDs=false - {{- end }} - {{- if $.Values.templates.useTemplateCRDs }} - - --useTemplateCRDs=true - {{- else }} - - --useTemplateCRDs=false - {{- end }} - {{- if $.Values.global.tracer.zipkin.address }} - - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans - {{- else }} - - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans - {{- end }} - {{- if .Values.env }} - env: - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - resources: -{{- if .Values.policy.resources }} -{{ toYaml .Values.policy.resources | indent 10 }} -{{- else if .Values.resources }} -{{ toYaml .Values.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - volumeMounts: -{{- if $.Values.global.useMCP }} - - name: istio-certs - mountPath: /etc/certs - readOnly: true -{{- end }} - - name: uds-socket - mountPath: /sock - livenessProbe: - httpGet: - path: /version - port: {{ .Values.global.monitoringPort }} - initialDelaySeconds: 5 - periodSeconds: 5 - - name: istio-proxy -{{- if contains "/" $.Values.global.proxy.image }} - image: "{{ $.Values.global.proxy.image }}" -{{- else }} - image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ $.Values.global.imagePullPolicy }} - ports: - - containerPort: 9091 - - containerPort: 15004 - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - --domain - - $(POD_NAMESPACE).svc.{{ $.Values.global.proxy.clusterDomain }} - - --serviceCluster - - istio-policy - - --templateFile - - /etc/istio/proxy/envoy_policy.yaml.tmpl - {{- if $.Values.global.controlPlaneSecurityEnabled }} - - --controlPlaneAuthPolicy - - MUTUAL_TLS - {{- else }} - - --controlPlaneAuthPolicy - - NONE - {{- end }} - {{- if $.Values.global.trustDomain }} - - --trust-domain={{ $.Values.global.trustDomain }} - {{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - resources: -{{- if $.Values.global.proxy.resources }} -{{ toYaml $.Values.global.proxy.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - volumeMounts: - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- if $.Values.global.sds.enabled }} - - name: sds-uds-path - mountPath: /var/run/sds - readOnly: true - {{- if $.Values.global.sds.useTrustworthyJwt }} - - name: istio-token - mountPath: /var/run/secrets/tokens - {{- end }} - {{- end }} - - name: uds-socket - mountPath: /sock - - name: policy-adapter-secret - mountPath: /var/run/secrets/istio.io/policy/adapter - readOnly: true -{{- end }} - -{{- define "telemetry_container" }} - spec: - serviceAccountName: istio-mixer-service-account - volumes: - - name: istio-certs - secret: - secretName: istio.istio-mixer-service-account - optional: true - {{- if $.Values.global.sds.enabled }} - - hostPath: - path: /var/run/sds - name: sds-uds-path - {{- if $.Values.global.sds.useTrustworthyJwt }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ $.Values.global.trustDomain }} - expirationSeconds: 43200 - path: istio-token - {{- end }} - {{- end }} - - name: uds-socket - emptyDir: {} - - name: telemetry-adapter-secret - secret: - secretName: telemetry-adapter-secret - optional: true - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} - containers: - - name: mixer -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ $.Values.global.imagePullPolicy }} - ports: - - containerPort: {{ .Values.global.monitoringPort }} - - containerPort: 42422 - args: - - --monitoringPort={{ .Values.global.monitoringPort }} - - --address - - unix:///sock/mixer.socket -{{- if $.Values.global.logging.level }} - - --log_output_level={{ $.Values.global.logging.level }} -{{- end}} -{{- if $.Values.global.useMCP }} - {{- if $.Values.global.controlPlaneSecurityEnabled}} - - --configStoreURL=mcps://istio-galley.{{ $.Release.Namespace }}.svc:9901 - - --certFile=/etc/certs/cert-chain.pem - - --keyFile=/etc/certs/key.pem - - --caCertFile=/etc/certs/root-cert.pem - {{- else }} - - --configStoreURL=mcp://istio-galley.{{ $.Release.Namespace }}.svc:9901 - {{- end }} -{{- else }} - - --configStoreURL=k8s:// -{{- end }} - - --configDefaultNamespace={{ $.Release.Namespace }} - {{- if $.Values.adapters.useAdapterCRDs }} - - --useAdapterCRDs=true - {{- else }} - - --useAdapterCRDs=false - {{- end }} - {{- if $.Values.templates.useTemplateCRDs }} - - --useTemplateCRDs=true - {{- else }} - - --useTemplateCRDs=false - {{- end }} - {{- if $.Values.global.tracer.zipkin.address }} - - --trace_zipkin_url=http://{{- $.Values.global.tracer.zipkin.address }}/api/v1/spans - {{- else }} - - --trace_zipkin_url=http://zipkin.{{ $.Release.Namespace }}:9411/api/v1/spans - {{- end }} - - --averageLatencyThreshold - - {{ $.Values.telemetry.loadshedding.latencyThreshold }} - - --loadsheddingMode - - {{ $.Values.telemetry.loadshedding.mode }} - {{- if .Values.env }} - env: - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - resources: -{{- if .Values.telemetry.resources }} -{{ toYaml .Values.telemetry.resources | indent 10 }} -{{- else if .Values.resources }} -{{ toYaml .Values.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - volumeMounts: -{{- if $.Values.global.useMCP }} - - name: istio-certs - mountPath: /etc/certs - readOnly: true -{{- end }} - - name: telemetry-adapter-secret - mountPath: /var/run/secrets/istio.io/telemetry/adapter - readOnly: true - - name: uds-socket - mountPath: /sock - livenessProbe: - httpGet: - path: /version - port: {{ .Values.global.monitoringPort }} - initialDelaySeconds: 5 - periodSeconds: 5 - - name: istio-proxy -{{- if contains "/" $.Values.global.proxy.image }} - image: "{{ $.Values.global.proxy.image }}" -{{- else }} - image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ $.Values.global.imagePullPolicy }} - ports: - - containerPort: 9091 - - containerPort: 15004 - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - istio-telemetry - - --templateFile - - /etc/istio/proxy/envoy_telemetry.yaml.tmpl - {{- if $.Values.global.controlPlaneSecurityEnabled }} - - --controlPlaneAuthPolicy - - MUTUAL_TLS - {{- else }} - - --controlPlaneAuthPolicy - - NONE - {{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - resources: -{{- if $.Values.global.proxy.resources }} -{{ toYaml $.Values.global.proxy.resources | indent 10 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 10 }} -{{- end }} - volumeMounts: - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- if $.Values.global.sds.enabled }} - - name: sds-uds-path - mountPath: /var/run/sds - readOnly: true - {{- if $.Values.global.sds.useTrustworthyJwt }} - - name: istio-token - mountPath: /var/run/secrets/tokens - {{- end }} - {{- end }} - - name: uds-socket - mountPath: /sock -{{- end }} - - -{{- range $key, $spec := .Values }} -{{- if or (eq $key "policy") (eq $key "telemetry") }} -{{- if $spec.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-{{ $key }} - namespace: {{ $.Release.Namespace }} - labels: - app: istio-mixer - chart: {{ template "mixer.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - istio: mixer -spec: -{{- if not $spec.autoscaleEnabled }} -{{- if $spec.replicaCount }} - replicas: {{ $spec.replicaCount }} -{{- else }} - replicas: 1 -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - selector: - matchLabels: - istio: mixer - istio-mixer-type: {{ $key }} - template: - metadata: - labels: - app: {{ $key }} - chart: {{ template "mixer.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - istio: mixer - istio-mixer-type: {{ $key }} - annotations: - sidecar.istio.io/inject: "false" -{{- with $.Values.podAnnotations }} -{{ toYaml . | indent 8 }} -{{- end }} -{{- if eq $key "policy"}} -{{- template "policy_container" $ }} -{{- else }} -{{- template "telemetry_container" $ }} -{{- end }} - ---- -{{- end }} -{{- end }} -{{- end }} {{/* range */}} diff --git a/manager/manifests/istio/charts/mixer/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/mixer/templates/poddisruptionbudget.yaml deleted file mode 100644 index a6bfe8668a..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if or (eq $key "policy") (eq $key "telemetry") }} -{{- if $spec.enabled }} -{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-{{ $key }} - namespace: {{ $.Release.Namespace }} - labels: - app: {{ $key }} - chart: {{ template "mixer.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - version: {{ $.Chart.Version }} - istio: mixer - istio-mixer-type: {{ $key }} -spec: -{{- if $.Values.global.defaultPodDisruptionBudget.enabled }} -{{ include "podDisruptionBudget.spec" $.Values.global.defaultPodDisruptionBudget }} -{{- end }} - selector: - matchLabels: - app: {{ $key }} - release: {{ $.Release.Name }} - istio: mixer - istio-mixer-type: {{ $key }} ---- -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/service.yaml b/manager/manifests/istio/charts/mixer/templates/service.yaml deleted file mode 100644 index 6da499bed5..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/service.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- range $key, $spec := .Values }} -{{- if or (eq $key "policy") (eq $key "telemetry") }} -{{- if $spec.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: istio-{{ $key }} - namespace: {{ $.Release.Namespace }} - annotations: - networking.istio.io/exportTo: "*" - labels: - app: {{ template "mixer.name" $ }} - chart: {{ template "mixer.chart" $ }} - heritage: {{ $.Release.Service }} - release: {{ $.Release.Name }} - istio: mixer -spec: - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-monitoring - port: {{ $.Values.global.monitoringPort }} -{{- if eq $key "telemetry" }} - - name: prometheus - port: 42422 -{{- if $spec.sessionAffinityEnabled }} - sessionAffinity: ClientIP -{{- end }} -{{- end }} - selector: - istio: mixer - istio-mixer-type: {{ $key }} ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/mixer/templates/serviceaccount.yaml b/manager/manifests/istio/charts/mixer/templates/serviceaccount.yaml deleted file mode 100644 index 9d3da7dd63..0000000000 --- a/manager/manifests/istio/charts/mixer/templates/serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if or (.Values.policy.enabled) (.Values.telemetry.enabled) }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-mixer-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "mixer.name" . }} - chart: {{ template "mixer.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- end }} diff --git a/manager/manifests/istio/charts/mixer/values.yaml b/manager/manifests/istio/charts/mixer/values.yaml deleted file mode 100644 index 1d92f38932..0000000000 --- a/manager/manifests/istio/charts/mixer/values.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# -# mixer configuration -# -image: mixer - -env: - GODEBUG: gctrace=1 - # max procs should be ceil(cpu limit + 1) - GOMAXPROCS: "6" - -policy: - # if policy is enabled, global.disablePolicyChecks has affect. - enabled: false - replicaCount: 1 - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - cpu: - targetAverageUtilization: 80 - -telemetry: - enabled: true - replicaCount: 1 - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - cpu: - targetAverageUtilization: 80 - sessionAffinityEnabled: false - - # mixer load shedding configuration. - # When mixer detects that it is overloaded, it starts rejecting grpc requests. - loadshedding: - # disabled, logonly or enforce - mode: enforce - # based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async. - latencyThreshold: 100ms - resources: - requests: - cpu: 1000m - memory: 1G - limits: - # It is best to do horizontal scaling of mixer using moderate cpu allocation. - # We have experimentally found that these values work well. - cpu: 4800m - memory: 4G - -podAnnotations: {} -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] - -templates: - useTemplateCRDs: false - -adapters: - kubernetesenv: - enabled: true - - # stdio is a debug adapter in istio-telemetry, it is not recommended for production use. - stdio: - enabled: false - outputAsJson: true - prometheus: - enabled: true - metricsExpiryDuration: 10m - # Setting this to false sets the useAdapterCRDs mixer startup argument to false - useAdapterCRDs: false diff --git a/manager/manifests/istio/charts/nodeagent/Chart.yaml b/manager/manifests/istio/charts/nodeagent/Chart.yaml deleted file mode 100644 index 4334965506..0000000000 --- a/manager/manifests/istio/charts/nodeagent/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: nodeagent -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2" -description: Helm chart for nodeagent deployment -keywords: - - istio - - nodeagent -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/nodeagent/templates/_helpers.tpl b/manager/manifests/istio/charts/nodeagent/templates/_helpers.tpl deleted file mode 100644 index fda6043d0c..0000000000 --- a/manager/manifests/istio/charts/nodeagent/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "nodeagent.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "nodeagent.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "nodeagent.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml b/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml deleted file mode 100644 index 8e4ab6d325..0000000000 --- a/manager/manifests/istio/charts/nodeagent/templates/clusterrole.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-nodeagent-{{ .Release.Namespace }} - labels: - app: {{ template "nodeagent.name" . }} - chart: {{ template "nodeagent.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get"] diff --git a/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml deleted file mode 100644 index 591e482125..0000000000 --- a/manager/manifests/istio/charts/nodeagent/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-nodeagent-{{ .Release.Namespace }} - labels: - app: {{ template "nodeagent.name" . }} - chart: {{ template "nodeagent.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-nodeagent-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-nodeagent-service-account - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml b/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml deleted file mode 100644 index c6fcb85239..0000000000 --- a/manager/manifests/istio/charts/nodeagent/templates/daemonset.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: istio-nodeagent - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "nodeagent.name" . }} - chart: {{ template "nodeagent.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: nodeagent -spec: - selector: - matchLabels: - istio: nodeagent - template: - metadata: - labels: - app: {{ template "nodeagent.name" . }} - chart: {{ template "nodeagent.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: nodeagent - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-nodeagent-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: nodeagent -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - volumeMounts: - - mountPath: /var/run/sds - name: sdsudspath - env: - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - - name: "Trust_Domain" - value: "{{ .Values.global.trustDomain }}" - volumes: - - name: sdsudspath - hostPath: - path: /var/run/sds - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} - updateStrategy: - type: RollingUpdate diff --git a/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml b/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml deleted file mode 100644 index 86853d7e0a..0000000000 --- a/manager/manifests/istio/charts/nodeagent/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-nodeagent-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "nodeagent.name" . }} - chart: {{ template "nodeagent.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/nodeagent/values.yaml b/manager/manifests/istio/charts/nodeagent/values.yaml deleted file mode 100644 index 812dd84cab..0000000000 --- a/manager/manifests/istio/charts/nodeagent/values.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# -# nodeagent configuration -# -enabled: false -image: node-agent-k8s -env: - # name of authentication provider. - CA_PROVIDER: "" - # CA endpoint. - CA_ADDR: "" - # names of authentication provider's plugins. - Plugins: "" -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/pilot/Chart.yaml b/manager/manifests/istio/charts/pilot/Chart.yaml deleted file mode 100644 index f18710979f..0000000000 --- a/manager/manifests/istio/charts/pilot/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: pilot -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2" -description: Helm chart for pilot deployment -keywords: - - istio - - pilot -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/pilot/templates/_helpers.tpl b/manager/manifests/istio/charts/pilot/templates/_helpers.tpl deleted file mode 100644 index c812c37096..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "pilot.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "pilot.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "pilot.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/pilot/templates/autoscale.yaml b/manager/manifests/istio/charts/pilot/templates/autoscale.yaml deleted file mode 100644 index 1a9945136a..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/autoscale.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istio-pilot - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-pilot - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }} ---- -{{- end }} diff --git a/manager/manifests/istio/charts/pilot/templates/clusterrole.yaml b/manager/manifests/istio/charts/pilot/templates/clusterrole.yaml deleted file mode 100644 index 0435c3ebd0..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/clusterrole.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-pilot-{{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["config.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["rbac.istio.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: ["networking.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["authentication.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["*"] -- apiGroups: ["extensions"] - resources: ["ingresses", "ingresses/status"] - verbs: ["*"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] -- apiGroups: [""] - resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] - verbs: ["get", "list", "watch"] diff --git a/manager/manifests/istio/charts/pilot/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/pilot/templates/clusterrolebinding.yaml deleted file mode 100644 index ef9281ca80..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-pilot-{{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-pilot-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-pilot-service-account - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/pilot/templates/deployment.yaml b/manager/manifests/istio/charts/pilot/templates/deployment.yaml deleted file mode 100644 index 6afc097395..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/deployment.yaml +++ /dev/null @@ -1,225 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-pilot - namespace: {{ .Release.Namespace }} - # TODO: default template doesn't have this, which one is right ? - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: pilot - annotations: - checksum/config-volume: {{ template "istio.configmap.checksum" . }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- else }} - replicas: 1 -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - selector: - matchLabels: - istio: pilot - template: - metadata: - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: pilot - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-pilot-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - args: - - "discovery" - - --monitoringAddr=:{{ .Values.global.monitoringPort }} -{{- if $.Values.global.logging.level }} - - --log_output_level={{ $.Values.global.logging.level }} -{{- end}} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.global.oneNamespace }} - - "-a" - - {{ .Release.Namespace }} -{{- end }} -{{- if $.Values.global.controlPlaneSecurityEnabled}} - {{- if not .Values.sidecar }} - - --secureGrpcAddr - - ":15011" - {{- end }} -{{- else }} - - --secureGrpcAddr - - "" -{{- end }} -{{- if .Values.global.trustDomain }} - - --trust-domain={{ .Values.global.trustDomain }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" - ports: - - containerPort: 8080 - - containerPort: 15010 -{{- if not .Values.sidecar }} - - containerPort: 15011 -{{- end }} - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 30 - timeoutSeconds: 5 - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} - - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY - value: "1" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - volumeMounts: - - name: config-volume - mountPath: /etc/istio/config - - name: istio-certs - mountPath: /etc/certs - readOnly: true -{{- if .Values.sidecar }} - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 15003 - - containerPort: 15005 - - containerPort: 15007 - - containerPort: 15011 - args: - - proxy - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - istio-pilot - - --templateFile - - /etc/istio/proxy/envoy_pilot.yaml.tmpl - {{- if $.Values.global.controlPlaneSecurityEnabled}} - - --controlPlaneAuthPolicy - - MUTUAL_TLS - {{- else }} - - --controlPlaneAuthPolicy - - NONE - {{- end }} - {{- if .Values.global.trustDomain }} - - --trust-domain={{ .Values.global.trustDomain }} - {{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - resources: -{{- if .Values.global.proxy.resources }} -{{ toYaml .Values.global.proxy.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - volumeMounts: - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- if $.Values.global.sds.enabled }} - - name: sds-uds-path - mountPath: /var/run/sds - readOnly: true - {{- if $.Values.global.sds.useTrustworthyJwt }} - - name: istio-token - mountPath: /var/run/secrets/tokens - {{- end }} - {{- end }} -{{- end }} - volumes: - {{- if $.Values.global.sds.enabled }} - - hostPath: - path: /var/run/sds - name: sds-uds-path - {{- if $.Values.global.sds.useTrustworthyJwt }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ $.Values.global.trustDomain }} - expirationSeconds: 43200 - path: istio-token - {{- end }} - {{- end }} - - name: config-volume - configMap: - name: istio - - name: istio-certs - secret: - secretName: istio.istio-pilot-service-account - optional: true - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml b/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml deleted file mode 100644 index 50dfc0775f..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/meshexpansion.yaml +++ /dev/null @@ -1,90 +0,0 @@ -{{- if .Values.global.meshExpansion.enabled }} -{{- if .Values.global.meshExpansion.useILB }} -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: meshexpansion-ilb-vs-pilot - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - hosts: - - istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - gateways: - - meshexpansion-ilb-gateway - tcp: - - match: - - port: 15011 - route: - - destination: - host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 15011 - - match: - - port: 15010 - route: - - destination: - host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 15010 - - match: - - port: 5353 - route: - - destination: - host: kube-dns.kube-system.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 53 ---- -{{- else }} - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: meshexpansion-vs-pilot - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - hosts: - - istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - gateways: - - meshexpansion-gateway - tcp: - - match: - - port: 15011 - route: - - destination: - host: istio-pilot.{{ $.Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 15011 ---- -{{- end }} - -{{- if .Values.global.controlPlaneSecurityEnabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: meshexpansion-dr-pilot - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - host: istio-pilot.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - trafficPolicy: - portLevelSettings: - - port: - number: 15011 - tls: - mode: DISABLE ---- -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/pilot/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/pilot/templates/poddisruptionbudget.yaml deleted file mode 100644 index fd9e06a717..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-pilot - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: pilot -spec: -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} -{{- end }} - selector: - matchLabels: - app: {{ template "pilot.name" . }} - release: {{ .Release.Name }} - istio: pilot -{{- end }} diff --git a/manager/manifests/istio/charts/pilot/templates/service.yaml b/manager/manifests/istio/charts/pilot/templates/service.yaml deleted file mode 100644 index a61d93025e..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istio-pilot - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: pilot -spec: - ports: - - port: 15010 - name: grpc-xds # direct - - port: 15011 - name: https-xds # mTLS - - port: 8080 - name: http-legacy-discovery # direct - - port: {{ .Values.global.monitoringPort }} - name: http-monitoring - selector: - istio: pilot diff --git a/manager/manifests/istio/charts/pilot/templates/serviceaccount.yaml b/manager/manifests/istio/charts/pilot/templates/serviceaccount.yaml deleted file mode 100644 index 7ec2a66de7..0000000000 --- a/manager/manifests/istio/charts/pilot/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-pilot-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "pilot.name" . }} - chart: {{ template "pilot.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/pilot/values.yaml b/manager/manifests/istio/charts/pilot/values.yaml deleted file mode 100644 index 9f446cd90f..0000000000 --- a/manager/manifests/istio/charts/pilot/values.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# -# pilot configuration -# -enabled: true -autoscaleEnabled: true -autoscaleMin: 1 -autoscaleMax: 5 -# specify replicaCount when autoscaleEnabled: false -# replicaCount: 1 -image: pilot -sidecar: true -traceSampling: 1.0 -# Resources for a small pilot install -resources: - requests: - cpu: 500m - memory: 2048Mi -env: - PILOT_PUSH_THROTTLE: 100 - GODEBUG: gctrace=1 -cpu: - targetAverageUtilization: 80 -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] - -# The following is used to limit how long a sidecar can be connected -# to a pilot. It balances out load across pilot instances at the cost of -# increasing system churn. -keepaliveMaxServerConnectionAge: 30m diff --git a/manager/manifests/istio/charts/prometheus/Chart.yaml b/manager/manifests/istio/charts/prometheus/Chart.yaml deleted file mode 100644 index 3fb2805fc1..0000000000 --- a/manager/manifests/istio/charts/prometheus/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -description: A Helm chart for Kubernetes -name: prometheus -version: 1.2.2 -appVersion: 2.8.0 -tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/prometheus/templates/_helpers.tpl b/manager/manifests/istio/charts/prometheus/templates/_helpers.tpl deleted file mode 100644 index 039388329b..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "prometheus.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "prometheus.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "prometheus.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/prometheus/templates/clusterrole.yaml b/manager/manifests/istio/charts/prometheus/templates/clusterrole.yaml deleted file mode 100644 index 06fdfaf533..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/clusterrole.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: prometheus-{{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: - - nodes - - services - - endpoints - - pods - - nodes/proxy - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: - - configmaps - verbs: ["get"] -- nonResourceURLs: ["/metrics"] - verbs: ["get"] diff --git a/manager/manifests/istio/charts/prometheus/templates/clusterrolebindings.yaml b/manager/manifests/istio/charts/prometheus/templates/clusterrolebindings.yaml deleted file mode 100644 index 295e0df729..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/clusterrolebindings.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: prometheus-{{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: prometheus - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/prometheus/templates/configmap.yaml b/manager/manifests/istio/charts/prometheus/templates/configmap.yaml deleted file mode 100644 index 040269d3a2..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/configmap.yaml +++ /dev/null @@ -1,281 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - prometheus.yml: |- - global: - scrape_interval: {{ .Values.scrapeInterval }} - scrape_configs: - - - job_name: 'istio-mesh' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - {{ .Release.Namespace }} - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-telemetry;prometheus - - # Scrape config for envoy stats - - job_name: 'envoy-stats' - metrics_path: /stats/prometheus - kubernetes_sd_configs: - - role: pod - - relabel_configs: - - source_labels: [__meta_kubernetes_pod_container_port_name] - action: keep - regex: '.*-envoy-prom' - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:15090 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name - - - job_name: 'istio-policy' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - {{ .Release.Namespace }} - - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-policy;http-monitoring - - - job_name: 'istio-telemetry' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - {{ .Release.Namespace }} - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-telemetry;http-monitoring - - - job_name: 'pilot' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - {{ .Release.Namespace }} - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-pilot;http-monitoring - - - job_name: 'galley' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - {{ .Release.Namespace }} - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-galley;http-monitoring - - - job_name: 'citadel' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - {{ .Release.Namespace }} - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-citadel;http-monitoring - - # scrape config for API servers - - job_name: 'kubernetes-apiservers' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - default - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: kubernetes;https - - # scrape config for nodes (kubelet) - - job_name: 'kubernetes-nodes' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/${1}/proxy/metrics - - # Scrape config for Kubelet cAdvisor. - # - # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics - # (those whose names begin with 'container_') have been removed from the - # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to - # retrieve those metrics. - # - # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor - # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" - # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with - # the --cadvisor-port=0 Kubelet flag). - # - # This job is not necessary and should be removed in Kubernetes 1.6 and - # earlier versions, or it will cause the metrics to be scraped twice. - - job_name: 'kubernetes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor - - # scrape config for service endpoints. - - job_name: 'kubernetes-service-endpoints' - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] - action: keep - regex: true - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] - action: replace - target_label: __scheme__ - regex: (https?) - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] - action: replace - target_label: __address__ - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: kubernetes_namespace - - source_labels: [__meta_kubernetes_service_name] - action: replace - target_label: kubernetes_name - - - job_name: 'kubernetes-pods' - kubernetes_sd_configs: - - role: pod - relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true - # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" - - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] - action: keep - regex: ((;.*)|(.*;http)) - - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] - action: drop - regex: (true) - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name - - - job_name: 'kubernetes-pods-istio-secure' - scheme: https - tls_config: - ca_file: /etc/istio-certs/root-cert.pem - cert_file: /etc/istio-certs/cert-chain.pem - key_file: /etc/istio-certs/key.pem - insecure_skip_verify: true # prometheus does not support secure naming. - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true - # sidecar status annotation is added by sidecar injector and - # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. - - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] - action: keep - regex: (([^;]+);([^;]*))|(([^;]*);(true)) - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] - action: drop - regex: (http) - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__] # Only keep address that is host:port - action: keep # otherwise an extra target with ':443' is added for https scheme - regex: ([^:]+):(\d+) - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name diff --git a/manager/manifests/istio/charts/prometheus/templates/deployment.yaml b/manager/manifests/istio/charts/prometheus/templates/deployment.yaml deleted file mode 100644 index 8d89aaf46e..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/deployment.yaml +++ /dev/null @@ -1,80 +0,0 @@ -# TODO: the original template has service account, roles, etc -apiVersion: apps/v1 -kind: Deployment -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: prometheus - template: - metadata: - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: prometheus -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: prometheus - image: "{{ .Values.hub }}/prometheus:{{ .Values.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - args: - - '--storage.tsdb.retention={{ .Values.retention }}' - - '--config.file=/etc/prometheus/prometheus.yml' - ports: - - containerPort: 9090 - name: http - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - volumeMounts: - - name: config-volume - mountPath: /etc/prometheus - - mountPath: /etc/istio-certs - name: istio-certs - volumes: - - name: config-volume - configMap: - name: prometheus - - name: istio-certs - secret: - defaultMode: 420 -{{- if not .Values.security.enabled }} - optional: true -{{- end }} - secretName: istio.default - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/prometheus/templates/ingress.yaml b/manager/manifests/istio/charts/prometheus/templates/ingress.yaml deleted file mode 100644 index 43be655232..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/ingress.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: -{{- if .Values.ingress.hosts }} - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} / {{ end }} - backend: - serviceName: prometheus - servicePort: 9090 - {{- end -}} -{{- else }} - - http: - paths: - - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} / {{ end }} - backend: - serviceName: prometheus - servicePort: 9090 -{{- end }} - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/prometheus/templates/service.yaml b/manager/manifests/istio/charts/prometheus/templates/service.yaml deleted file mode 100644 index d92525df07..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/service.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} - annotations: - prometheus.io/scrape: 'true' - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - app: prometheus - ports: - - name: http-prometheus - protocol: TCP - port: 9090 - -{{- if .Values.service.nodePort.enabled }} -# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs. ---- -apiVersion: v1 -kind: Service -metadata: - name: prometheus-nodeport - namespace: {{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - type: NodePort - ports: - - port: 9090 - nodePort: {{ .Values.service.nodePort.port }} - name: http-prometheus - selector: - app: prometheus -{{- end }} diff --git a/manager/manifests/istio/charts/prometheus/templates/serviceaccount.yaml b/manager/manifests/istio/charts/prometheus/templates/serviceaccount.yaml deleted file mode 100644 index 7c2fab3f4c..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} - labels: - app: prometheus - chart: {{ template "prometheus.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml b/manager/manifests/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml deleted file mode 100644 index 289a56f51b..0000000000 --- a/manager/manifests/istio/charts/prometheus/templates/tests/test-prometheus-connection.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if .Values.global.enableHelmTest }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ template "prometheus.fullname" . }}-test - namespace: {{ .Release.Namespace }} - labels: - app: prometheus-test - chart: {{ template "prometheus.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: prometheus - annotations: - sidecar.istio.io/inject: "false" - helm.sh/hook: test-success -spec: -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: "{{ template "prometheus.fullname" . }}-test" - image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - command: ['sh', '-c', 'for i in 1 2 3; do curl http://prometheus:9090/-/ready && exit 0 || sleep 15; done; exit 1'] - restartPolicy: Never - affinity: - {{- include "nodeaffinity" . | indent 4 }} - {{- include "podAntiAffinity" . | indent 4 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 2 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 2 }} - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/prometheus/values.yaml b/manager/manifests/istio/charts/prometheus/values.yaml deleted file mode 100644 index b52fd55662..0000000000 --- a/manager/manifests/istio/charts/prometheus/values.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# -# addon prometheus configuration -# -enabled: true -replicaCount: 1 -hub: docker.io/prom -tag: v2.8.0 -retention: 6h -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] - -# Controls the frequency of prometheus scraping -scrapeInterval: 15s - -contextPath: /prometheus - -ingress: - enabled: false - ## Used to create an Ingress record. - hosts: - - prometheus.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: prometheus-tls - # hosts: - # - prometheus.local - -service: - annotations: {} - nodePort: - enabled: false - port: 32090 - -security: - enabled: true diff --git a/manager/manifests/istio/charts/security/Chart.yaml b/manager/manifests/istio/charts/security/Chart.yaml deleted file mode 100644 index f2f4ad59e3..0000000000 --- a/manager/manifests/istio/charts/security/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: security -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2" -description: Helm chart for istio authentication -keywords: - - istio - - security -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/security/templates/_helpers.tpl b/manager/manifests/istio/charts/security/templates/_helpers.tpl deleted file mode 100644 index 7f36f9d510..0000000000 --- a/manager/manifests/istio/charts/security/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "security.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "security.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "security.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/security/templates/cleanup-secrets.yaml b/manager/manifests/istio/charts/security/templates/cleanup-secrets.yaml deleted file mode 100644 index 858c6c5f71..0000000000 --- a/manager/manifests/istio/charts/security/templates/cleanup-secrets.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# The reason for creating a ServiceAccount and ClusterRole specifically for this -# post-delete hooked job is because the citadel ServiceAccount is being deleted -# before this hook is launched. On the other hand, running this hook before the -# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they -# will be re-created immediately by the to-be-deleted citadel. -# -# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding -# will be ready before running the hooked Job therefore the hook weights. - -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-cleanup-secrets-service-account - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "1" - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} -- name: {{ . }} -{{- end }} -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cleanup-secrets-{{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "1" - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["list", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cleanup-secrets-{{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "2" - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cleanup-secrets-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-cleanup-secrets-service-account - namespace: {{ .Release.Namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: istio-cleanup-secrets-{{ .Values.global.tag | printf "%v" | trunc 32 }} - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": hook-succeeded - "helm.sh/hook-weight": "3" - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - template: - metadata: - name: istio-cleanup-secrets - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - serviceAccountName: istio-cleanup-secrets-service-account - containers: - - name: kubectl - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - imagePullPolicy: IfNotPresent - command: - - /bin/bash - - -c - - > - kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do - ns=$(echo $entry | awk '{print $1}'); - name=$(echo $entry | awk '{print $2}'); - kubectl delete secret $name -n $ns; - done - restartPolicy: OnFailure - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/security/templates/clusterrole.yaml b/manager/manifests/istio/charts/security/templates/clusterrole.yaml deleted file mode 100644 index cdeb0c054e..0000000000 --- a/manager/manifests/istio/charts/security/templates/clusterrole.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-citadel-{{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "update"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "get", "watch", "list", "update", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts", "services"] - verbs: ["get", "watch", "list"] -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] diff --git a/manager/manifests/istio/charts/security/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/security/templates/clusterrolebinding.yaml deleted file mode 100644 index 0a15799ce9..0000000000 --- a/manager/manifests/istio/charts/security/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-citadel-{{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-citadel-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-citadel-service-account - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/security/templates/configmap.yaml b/manager/manifests/istio/charts/security/templates/configmap.yaml deleted file mode 100644 index 14749fd657..0000000000 --- a/manager/manifests/istio/charts/security/templates/configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-security-custom-resources - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: citadel -data: - custom-resources.yaml: |- - {{- if .Values.global.mtls.enabled }} - {{- include "security-default.yaml.tpl" . | indent 4}} - {{- else }} - {{- include "security-permissive.yaml.tpl" . | indent 4}} - {{- end }} - run.sh: |- - {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/manager/manifests/istio/charts/security/templates/create-custom-resources-job.yaml b/manager/manifests/istio/charts/security/templates/create-custom-resources-job.yaml deleted file mode 100644 index 8513d79dbb..0000000000 --- a/manager/manifests/istio/charts/security/templates/create-custom-resources-job.yaml +++ /dev/null @@ -1,101 +0,0 @@ -{{- if .Values.createMeshPolicy }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-security-post-install-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: istio-security-post-install-{{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ["authentication.istio.io"] # needed to create default authn policy - resources: ["*"] - verbs: ["*"] -- apiGroups: ["networking.istio.io"] # needed to create security destination rules - resources: ["*"] - verbs: ["*"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get"] -- apiGroups: ["extensions", "apps"] - resources: ["deployments", "replicasets"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: istio-security-post-install-role-binding-{{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-security-post-install-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-security-post-install-account - namespace: {{ .Release.Namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: istio-security-post-install-{{ .Values.global.tag | printf "%v" | trunc 32 }} - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - template: - metadata: - name: istio-security-post-install - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - serviceAccountName: istio-security-post-install-account - containers: - - name: kubectl - image: "{{ .Values.global.hub }}/kubectl:{{ .Values.global.tag }}" - imagePullPolicy: IfNotPresent - command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] - volumeMounts: - - mountPath: "/tmp/security" - name: tmp-configmap-security - volumes: - - name: tmp-configmap-security - configMap: - name: istio-security-custom-resources - restartPolicy: OnFailure - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/security/templates/deployment.yaml b/manager/manifests/istio/charts/security/templates/deployment.yaml deleted file mode 100644 index 5070f3c894..0000000000 --- a/manager/manifests/istio/charts/security/templates/deployment.yaml +++ /dev/null @@ -1,108 +0,0 @@ -# istio CA watching all namespaces -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-citadel - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: citadel -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - istio: citadel - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: citadel - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-citadel-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: citadel -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - args: - - --append-dns-names=true - - --grpc-port=8060 - - --citadel-storage-namespace={{ .Release.Namespace }} - - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }} - - --monitoring-port={{ .Values.global.monitoringPort }} - {{- if .Values.selfSigned }} - - --self-signed-ca=true - {{- else }} - - --self-signed-ca=false - - --signing-cert=/etc/cacerts/ca-cert.pem - - --signing-key=/etc/cacerts/ca-key.pem - - --root-cert=/etc/cacerts/root-cert.pem - - --cert-chain=/etc/cacerts/cert-chain.pem - {{- end }} - {{- if .Values.global.trustDomain }} - - --trust-domain={{ .Values.global.trustDomain }} - {{- end }} - {{- if .Values.workloadCertTtl }} - - --workload-cert-ttl={{ .Values.workloadCertTtl }} - {{- end }} - {{- if .Values.citadelHealthCheck }} - - --liveness-probe-path=/tmp/ca.liveness # path to the liveness health check status file - - --liveness-probe-interval=60s # interval for health check file update - - --probe-check-interval=15s # interval for health status check - {{- end }} - {{- if .Values.citadelHealthCheck }} - livenessProbe: - exec: - command: - - /usr/local/bin/istio_ca - - probe - - --probe-path=/tmp/ca.liveness # path to the liveness health check status file - - --interval=125s # the maximum time gap allowed between the file mtime and the current sys clock - initialDelaySeconds: 60 - periodSeconds: 60 - {{- end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} -{{- if not .Values.selfSigned }} - volumeMounts: - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - volumes: - - name: cacerts - secret: - secretName: cacerts - optional: true -{{- end }} - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/security/templates/enable-mesh-mtls.yaml b/manager/manifests/istio/charts/security/templates/enable-mesh-mtls.yaml deleted file mode 100644 index 75e4a18e33..0000000000 --- a/manager/manifests/istio/charts/security/templates/enable-mesh-mtls.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- define "security-default.yaml.tpl" }} -# These policy and destination rules effectively enable mTLS for all services in the mesh. For now, -# they are added to Istio installation yaml for backward compatible. In future, they should be in -# a separated yaml file so that customer can enable mTLS independent from installation. - -# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. -apiVersion: "authentication.istio.io/v1alpha1" -kind: "MeshPolicy" -metadata: - name: "default" - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - peers: - - mtls: {} ---- -# Corresponding destination rule to configure client side to use mutual TLS when talking to -# any service (host) in the mesh. -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: "default" - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - host: "*.local" - {{- if .Values.global.defaultConfigVisibilitySettings }} - exportTo: - - '*' - {{- end }} - trafficPolicy: - tls: - mode: ISTIO_MUTUAL ---- -# Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar. -# Customer should add similar destination rules for other services that don't have sidecar. -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: "api-server" - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - host: "kubernetes.default.svc.{{ .Values.global.proxy.clusterDomain }}" - {{- if .Values.global.defaultConfigVisibilitySettings }} - exportTo: - - '*' - {{- end }} - trafficPolicy: - tls: - mode: DISABLE -{{- end }} diff --git a/manager/manifests/istio/charts/security/templates/enable-mesh-permissive.yaml b/manager/manifests/istio/charts/security/templates/enable-mesh-permissive.yaml deleted file mode 100644 index a6931b3b94..0000000000 --- a/manager/manifests/istio/charts/security/templates/enable-mesh-permissive.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- define "security-permissive.yaml.tpl" }} -# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. -apiVersion: "authentication.istio.io/v1alpha1" -kind: "MeshPolicy" -metadata: - name: "default" - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - peers: - - mtls: - mode: PERMISSIVE -{{- end }} diff --git a/manager/manifests/istio/charts/security/templates/meshexpansion.yaml b/manager/manifests/istio/charts/security/templates/meshexpansion.yaml deleted file mode 100644 index 581ce964a7..0000000000 --- a/manager/manifests/istio/charts/security/templates/meshexpansion.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.global.meshExpansion.enabled }} -{{- if .Values.global.meshExpansion.useILB }} -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: meshexpansion-vs-citadel-ilb - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: citadel -spec: - hosts: - - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - gateways: - - meshexpansion-ilb-gateway - tcp: - - match: - - port: 8060 - route: - - destination: - host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 8060 ---- -{{- else }} - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: meshexpansion-vs-citadel - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: citadel -spec: - hosts: - - istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - gateways: - - meshexpansion-gateway - tcp: - - match: - - port: 8060 - route: - - destination: - host: istio-citadel.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 8060 ---- -{{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/security/templates/service.yaml b/manager/manifests/istio/charts/security/templates/service.yaml deleted file mode 100644 index efea17544a..0000000000 --- a/manager/manifests/istio/charts/security/templates/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - # we use the normal name here (e.g. 'prometheus') - # as grafana is configured to use this as a data source - name: istio-citadel - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: citadel -spec: - ports: - - name: grpc-citadel - port: 8060 - targetPort: 8060 - protocol: TCP - - name: http-monitoring - port: {{ .Values.global.monitoringPort }} - selector: - istio: citadel diff --git a/manager/manifests/istio/charts/security/templates/serviceaccount.yaml b/manager/manifests/istio/charts/security/templates/serviceaccount.yaml deleted file mode 100644 index d07d566fa5..0000000000 --- a/manager/manifests/istio/charts/security/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-citadel-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "security.name" . }} - chart: {{ template "security.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} diff --git a/manager/manifests/istio/charts/security/templates/tests/test-citadel-connection.yaml b/manager/manifests/istio/charts/security/templates/tests/test-citadel-connection.yaml deleted file mode 100644 index 60caeef602..0000000000 --- a/manager/manifests/istio/charts/security/templates/tests/test-citadel-connection.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if .Values.global.enableHelmTest }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ template "security.fullname" . }}-test - namespace: {{ .Release.Namespace }} - labels: - app: istio-citadel-test - chart: {{ template "security.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - istio: citadel - annotations: - sidecar.istio.io/inject: "false" - helm.sh/hook: test-success -spec: -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: "{{ template "security.fullname" . }}-test" - image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - command: ['sh', '-c', 'for i in 1 2 3; do curl http://istio-citadel:8060/-/ready && exit 0 || sleep 15; done; exit 1'] - restartPolicy: Never - affinity: - {{- include "nodeaffinity" . | indent 4 }} - {{- include "podAntiAffinity" . | indent 4 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 2 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 2 }} - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/security/values.yaml b/manager/manifests/istio/charts/security/values.yaml deleted file mode 100644 index febb43d43a..0000000000 --- a/manager/manifests/istio/charts/security/values.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# -# security configuration -# -enabled: true -replicaCount: 1 -image: citadel -selfSigned: true # indicate if self-signed CA is used. -createMeshPolicy: true -nodeSelector: {} -tolerations: [] -# Enable health checking on the Citadel CSR signing API. -# https://istio.io/docs/tasks/security/health-check/ -citadelHealthCheck: false -# 90*24hour = 2160h -workloadCertTtl: 2160h - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/Chart.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/Chart.yaml deleted file mode 100644 index ff7bb5699c..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: sidecarInjectorWebhook -version: 1.2.2 -appVersion: 1.2.2 -tillerVersion: ">=2.7.2" -description: Helm chart for sidecar injector webhook deployment -keywords: - - istio - - sidecarInjectorWebhook -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/favicons/android-192x192.png diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl deleted file mode 100644 index f3b9fb15b9..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "sidecar-injector.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "sidecar-injector.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "sidecar-injector.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml deleted file mode 100644 index 27f9acb517..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-sidecar-injector-{{ .Release.Namespace }} - labels: - app: {{ template "sidecar-injector.name" . }} - chart: {{ template "sidecar-injector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: sidecar-injector -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml deleted file mode 100644 index 748a93244c..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} - labels: - app: {{ template "sidecar-injector.name" . }} - chart: {{ template "sidecar-injector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: sidecar-injector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-sidecar-injector-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-sidecar-injector-service-account - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml deleted file mode 100644 index b9bcd6ca73..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +++ /dev/null @@ -1,110 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "sidecar-injector.name" . }} - chart: {{ template "sidecar-injector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: sidecar-injector -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - istio: sidecar-injector - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ template "sidecar-injector.name" . }} - chart: {{ template "sidecar-injector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: sidecar-injector - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istio-sidecar-injector-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: sidecar-injector-webhook -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" -{{- end }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - args: - - --caCertFile=/etc/istio/certs/root-cert.pem - - --tlsCertFile=/etc/istio/certs/cert-chain.pem - - --tlsKeyFile=/etc/istio/certs/key.pem - - --injectConfig=/etc/istio/inject/config - - --meshConfig=/etc/istio/config/mesh - - --healthCheckInterval=2s - - --healthCheckFile=/health - volumeMounts: - - name: config-volume - mountPath: /etc/istio/config - readOnly: true - - name: certs - mountPath: /etc/istio/certs - readOnly: true - - name: inject-config - mountPath: /etc/istio/inject - readOnly: true - livenessProbe: - exec: - command: - - /usr/local/bin/sidecar-injector - - probe - - --probe-path=/health - - --interval=4s - initialDelaySeconds: 4 - periodSeconds: 4 - readinessProbe: - exec: - command: - - /usr/local/bin/sidecar-injector - - probe - - --probe-path=/health - - --interval=4s - initialDelaySeconds: 4 - periodSeconds: 4 - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - volumes: - - name: config-volume - configMap: - name: istio - - name: certs - secret: - secretName: istio.istio-sidecar-injector-service-account - - name: inject-config - configMap: - name: istio-sidecar-injector - items: - - key: config - path: config - - key: values - path: values - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml deleted file mode 100644 index 82963f1d97..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-sidecar-injector - labels: - app: {{ template "sidecar-injector.name" . }} - chart: {{ template "sidecar-injector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -webhooks: - - name: sidecar-injector.istio.io - clientConfig: - service: - name: istio-sidecar-injector - namespace: {{ .Release.Namespace }} - path: "/inject" - caBundle: "" - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - namespaceSelector: -{{- if .Values.enableNamespacesByDefault }} - matchExpressions: - - key: name - operator: NotIn - values: - - {{ .Release.Namespace }} - - key: istio-injection - operator: NotIn - values: - - disabled -{{- else }} - matchLabels: - istio-injection: enabled -{{- end }} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml deleted file mode 100644 index 870b92508c..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "sidecar-injector.name" . }} - release: {{ .Release.Name }} - istio: sidecar-injector -spec: -{{ include "podDisruptionBudget.spec" .Values.global.defaultPodDisruptionBudget }} - selector: - matchLabels: - app: {{ template "sidecar-injector.name" . }} - release: {{ .Release.Name }} - istio: sidecar-injector - {{- end }} diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/service.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/service.yaml deleted file mode 100644 index a68557a847..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istio-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "sidecar-injector.name" . }} - chart: {{ template "sidecar-injector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: sidecar-injector -spec: - ports: - - port: 443 - selector: - istio: sidecar-injector diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml deleted file mode 100644 index d4020b5170..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-sidecar-injector-service-account - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "sidecar-injector.name" . }} - chart: {{ template "sidecar-injector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: sidecar-injector diff --git a/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml b/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml deleted file mode 100644 index b2c2f934d3..0000000000 --- a/manager/manifests/istio/charts/sidecarInjectorWebhook/values.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# -# sidecar-injector webhook configuration -# -enabled: true -replicaCount: 1 -image: sidecar_injector -enableNamespacesByDefault: false -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] - -# If true, webhook or istioctl injector will rewrite PodSpec for liveness -# health check to redirect request to sidecar. This makes liveness check work -# even when mTLS is enabled. -rewriteAppHTTPProbe: false - -# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or -# always skip the injection on pods that match that label selector, regardless of the global policy. -# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions -neverInjectSelector: [] - -alwaysInjectSelector: [] diff --git a/manager/manifests/istio/charts/tracing/Chart.yaml b/manager/manifests/istio/charts/tracing/Chart.yaml deleted file mode 100644 index 5a20fa1d2c..0000000000 --- a/manager/manifests/istio/charts/tracing/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -description: A Helm chart for Kubernetes -name: tracing -version: 1.2.2 -appVersion: 1.5.1 -tillerVersion: ">=2.7.2" diff --git a/manager/manifests/istio/charts/tracing/templates/_helpers.tpl b/manager/manifests/istio/charts/tracing/templates/_helpers.tpl deleted file mode 100644 index e246b59b1e..0000000000 --- a/manager/manifests/istio/charts/tracing/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "tracing.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "tracing.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "tracing.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/tracing/templates/deployment-jaeger.yaml b/manager/manifests/istio/charts/tracing/templates/deployment-jaeger.yaml deleted file mode 100644 index 553cd59e23..0000000000 --- a/manager/manifests/istio/charts/tracing/templates/deployment-jaeger.yaml +++ /dev/null @@ -1,92 +0,0 @@ -{{ if eq .Values.provider "jaeger" }} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-tracing - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: jaeger - template: - metadata: - labels: - app: jaeger - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - prometheus.io/scrape: "true" - prometheus.io/port: "16686" -{{- if .Values.contextPath }} - prometheus.io/path: "{{ .Values.contextPath }}/metrics" -{{- else }} - prometheus.io/path: "/{{ .Values.provider }}/metrics" -{{- end }} - spec: -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- if .Values.global.imagePullSecrets }} - imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} - containers: - - name: jaeger - image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: 9411 - - containerPort: 16686 - - containerPort: 5775 - protocol: UDP - - containerPort: 6831 - protocol: UDP - - containerPort: 6832 - protocol: UDP - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: COLLECTOR_ZIPKIN_HTTP_PORT - value: "9411" - - name: MEMORY_MAX_TRACES - value: "{{ .Values.jaeger.memory.max_traces }}" - - name: QUERY_BASE_PATH - value: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} - livenessProbe: - httpGet: - path: / - port: 16686 - readinessProbe: - httpGet: - path: / - port: 16686 - resources: -{{- if .Values.jaeger.resources }} -{{ toYaml .Values.jaeger.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} -{{ end }} diff --git a/manager/manifests/istio/charts/tracing/templates/deployment-zipkin.yaml b/manager/manifests/istio/charts/tracing/templates/deployment-zipkin.yaml deleted file mode 100644 index c3b85f7e5e..0000000000 --- a/manager/manifests/istio/charts/tracing/templates/deployment-zipkin.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{ if eq .Values.provider "zipkin" }} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-tracing - namespace: {{ .Release.Namespace }} - labels: - app: zipkin - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - selector: - matchLabels: - app: zipkin - template: - metadata: - labels: - app: zipkin - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - spec: -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} -{{- if .Values.global.imagePullSecrets }} - imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} - containers: - - name: zipkin - image: "{{ .Values.zipkin.hub }}/zipkin:{{ .Values.zipkin.tag }}" - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - ports: - - containerPort: {{ .Values.zipkin.queryPort }} - livenessProbe: - initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }} - tcpSocket: - port: {{ .Values.zipkin.queryPort }} - readinessProbe: - initialDelaySeconds: {{ .Values.zipkin.probeStartupDelay }} - httpGet: - path: /health - port: {{ .Values.zipkin.queryPort }} - resources: -{{- if .Values.zipkin.resources }} -{{ toYaml .Values.zipkin.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: QUERY_PORT - value: "{{ .Values.zipkin.queryPort }}" - - name: JAVA_OPTS - value: "-XX:ConcGCThreads={{ .Values.zipkin.node.cpus }} -XX:ParallelGCThreads={{ .Values.zipkin.node.cpus }} -Djava.util.concurrent.ForkJoinPool.common.parallelism={{ .Values.zipkin.node.cpus }} -Xms{{ .Values.zipkin.javaOptsHeap }}M -Xmx{{ .Values.zipkin.javaOptsHeap }}M -XX:+UseG1GC -server" - - name: STORAGE_METHOD - value: "mem" - - name: ZIPKIN_STORAGE_MEM_MAXSPANS - value: "{{ .Values.zipkin.maxSpans }}" - affinity: - {{- include "nodeaffinity" . | indent 6 }} - {{- include "podAntiAffinity" . | indent 6 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} - {{- end }} -{{ end }} diff --git a/manager/manifests/istio/charts/tracing/templates/ingress.yaml b/manager/manifests/istio/charts/tracing/templates/ingress.yaml deleted file mode 100644 index 72f362166d..0000000000 --- a/manager/manifests/istio/charts/tracing/templates/ingress.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ template "tracing.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: -{{- if .Values.ingress.hosts }} - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: {{ if $.Values.contextPath }} {{ $.Values.contextPath }} {{ else }} /{{ $.Values.provider }} {{ end }} - backend: - serviceName: tracing - servicePort: 80 - - {{- end -}} -{{- else }} - - http: - paths: - - path: {{ if .Values.contextPath }} {{ .Values.contextPath }} {{ else }} /{{ .Values.provider }} {{ end }} - backend: - serviceName: tracing - servicePort: 80 -{{- end }} - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml b/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml deleted file mode 100644 index e8c2bc9d89..0000000000 --- a/manager/manifests/istio/charts/tracing/templates/service-jaeger.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{ if eq .Values.provider "jaeger" }} - -apiVersion: v1 -kind: List -metadata: - name: jaeger-services - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -items: -- apiVersion: v1 - kind: Service - metadata: - name: jaeger-query - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: - app: jaeger - jaeger-infra: jaeger-service - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - ports: - - name: query-http - port: 16686 - protocol: TCP - targetPort: 16686 - selector: - app: jaeger -- apiVersion: v1 - kind: Service - metadata: - name: jaeger-collector - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - jaeger-infra: collector-service - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - ports: - - name: jaeger-collector-tchannel - port: 14267 - protocol: TCP - targetPort: 14267 - - name: jaeger-collector-http - port: 14268 - targetPort: 14268 - protocol: TCP - selector: - app: jaeger - type: ClusterIP -- apiVersion: v1 - kind: Service - metadata: - name: jaeger-agent - namespace: {{ .Release.Namespace }} - labels: - app: jaeger - jaeger-infra: agent-service - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - ports: - - name: agent-zipkin-thrift - port: 5775 - protocol: UDP - targetPort: 5775 - - name: agent-compact - port: 6831 - protocol: UDP - targetPort: 6831 - - name: agent-binary - port: 6832 - protocol: UDP - targetPort: 6832 - clusterIP: None - selector: - app: jaeger -{{ end }} diff --git a/manager/manifests/istio/charts/tracing/templates/service.yaml b/manager/manifests/istio/charts/tracing/templates/service.yaml deleted file mode 100644 index fe94067b0a..0000000000 --- a/manager/manifests/istio/charts/tracing/templates/service.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: v1 -kind: List -metadata: - name: tracing-services - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -items: -- apiVersion: v1 - kind: Service - metadata: - name: zipkin - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }} - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: 9411 - protocol: TCP - name: {{ .Values.service.name }} - selector: - app: {{ .Values.provider }} -- apiVersion: v1 - kind: Service - metadata: - name: tracing - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := .Values.service.annotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: - app: {{ .Values.provider }} - chart: {{ template "tracing.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - spec: - ports: - - name: http-query - port: 80 - protocol: TCP -{{ if eq .Values.provider "jaeger" }} - targetPort: 16686 -{{ else }} - targetPort: 9411 -{{ end}} - selector: - app: {{ .Values.provider }} diff --git a/manager/manifests/istio/charts/tracing/templates/tests/test-tracing-connection.yaml b/manager/manifests/istio/charts/tracing/templates/tests/test-tracing-connection.yaml deleted file mode 100644 index 01b1767902..0000000000 --- a/manager/manifests/istio/charts/tracing/templates/tests/test-tracing-connection.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.global.enableHelmTest }} -apiVersion: v1 -kind: Pod -metadata: - name: {{ .Release.Name }}-{{ .Values.provider }}-test - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Values.provider }}-test - chart: {{ template "tracing.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - sidecar.istio.io/inject: "false" - helm.sh/hook: test-success -spec: -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: "{{ .Values.provider }}-test" - image: {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - command: ['curl'] - {{- if eq .Values.provider "jaeger" }} - args: ['http://tracing:80{{ .Values.jaeger.contextPath}}'] - {{- else }} - args: ['http://tracing:80'] - {{- end }} - restartPolicy: Never - affinity: - {{- include "nodeaffinity" . | indent 4 }} - {{- include "podAntiAffinity" . | indent 4 }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 2 }} - {{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 2 }} - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/charts/tracing/values.yaml b/manager/manifests/istio/charts/tracing/values.yaml deleted file mode 100644 index 19102a514e..0000000000 --- a/manager/manifests/istio/charts/tracing/values.yaml +++ /dev/null @@ -1,76 +0,0 @@ -# -# addon jaeger tracing configuration -# -enabled: false - -provider: jaeger -nodeSelector: {} -tolerations: [] - -# Specify the pod anti-affinity that allows you to constrain which nodes -# your pod is eligible to be scheduled based on labels on pods that are -# already running on the node rather than based on labels on nodes. -# There are currently two types of anti-affinity: -# "requiredDuringSchedulingIgnoredDuringExecution" -# "preferredDuringSchedulingIgnoredDuringExecution" -# which denote “hard” vs. “soft” requirements, you can define your values -# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" -# correspondingly. -# For example: -# podAntiAffinityLabelSelector: -# - key: security -# operator: In -# values: S1,S2 -# topologyKey: "kubernetes.io/hostname" -# This pod anti-affinity rule says that the pod requires not to be scheduled -# onto a node if that node is already running a pod with label having key -# “security” and value “S1”. -podAntiAffinityLabelSelector: [] -podAntiAffinityTermLabelSelector: [] - -jaeger: - hub: docker.io/jaegertracing - tag: 1.9 - memory: - max_traces: 50000 - -zipkin: - hub: docker.io/openzipkin - tag: 2 - probeStartupDelay: 200 - queryPort: 9411 - resources: - limits: - cpu: 300m - memory: 900Mi - requests: - cpu: 150m - memory: 900Mi - javaOptsHeap: 700 - # From: https://github.com/openzipkin/zipkin/blob/master/zipkin-server/src/main/resources/zipkin-server-shared.yml#L51 - # Maximum number of spans to keep in memory. When exceeded, oldest traces (and their spans) will be purged. - # A safe estimate is 1K of memory per span (each span with 2 annotations + 1 binary annotation), plus - # 100 MB for a safety buffer. You'll need to verify in your own environment. - maxSpans: 500000 - node: - cpus: 2 - -service: - annotations: {} - name: http - type: ClusterIP - externalPort: 9411 - -ingress: - enabled: false - # Used to create an Ingress record. - hosts: - # - tracing.local - annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - tls: - # Secrets must be manually created in the namespace. - # - secretName: tracing-tls - # hosts: - # - tracing.local diff --git a/manager/manifests/istio/files/injection-template.yaml b/manager/manifests/istio/files/injection-template.yaml deleted file mode 100644 index 99d56acac2..0000000000 --- a/manager/manifests/istio/files/injection-template.yaml +++ /dev/null @@ -1,348 +0,0 @@ -rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} -{{- if or (not .Values.istio_cni.enabled) .Values.global.proxy.enableCoreDump }} -initContainers: -{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} -{{- if not .Values.istio_cni.enabled }} -- name: istio-init -{{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" -{{- end }} - args: - - "-p" - - "15001" - - "-u" - - 1337 - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" - - "-d" - - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - imagePullPolicy: "{{ .Values.global.imagePullPolicy }}" - resources: - requests: - cpu: 10m - memory: 10Mi - limits: - cpu: 100m - memory: 50Mi - securityContext: - runAsUser: 0 - runAsNonRoot: false - capabilities: - add: - - NET_ADMIN - {{- if .Values.global.proxy.privileged }} - privileged: true - {{- end }} - restartPolicy: Always - env: - {{- if contains "*" (annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` "") }} - - name: INBOUND_CAPTURE_PORT - value: 15006 - {{- end }} -{{- end }} -{{ end -}} -{{- if eq .Values.global.proxy.enableCoreDump true }} -- name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited - command: - - /bin/sh -{{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" -{{- end }} - imagePullPolicy: IfNotPresent - resources: {} - securityContext: - runAsUser: 0 - runAsNonRoot: false - privileged: true -{{ end }} -{{- end }} -containers: -- name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" -{{- else }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" -{{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --configPath - - "{{ .ProxyConfig.ConfigPath }}" - - --binaryPath - - "{{ .ProxyConfig.BinaryPath }}" - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - - --drainDuration - - "{{ formatDuration .ProxyConfig.DrainDuration }}" - - --parentShutdownDuration - - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" - - --discoveryAddress - - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" -{{- if eq .Values.global.proxy.tracer "lightstep" }} - - --lightstepAddress - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" - - --lightstepAccessToken - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" - - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} - - --lightstepCacertPath - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" -{{- else if eq .Values.global.proxy.tracer "zipkin" }} - - --zipkinAddress - - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" -{{- else if eq .Values.global.proxy.tracer "datadog" }} - - --datadogAgentAddress - - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" -{{- end }} -{{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} -{{- end}} -{{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} -{{- end}} - - --dnsRefreshRate - - {{ .Values.global.proxy.dnsRefreshRate }} - - --connectTimeout - - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" -{{- if .Values.global.proxy.envoyStatsd.enabled }} - - --statsdUdpAddress - - "{{ .ProxyConfig.StatsdUdpAddress }}" -{{- end }} -{{- if .Values.global.proxy.envoyMetricsService.enabled }} - - --envoyMetricsServiceAddress - - "{{ .ProxyConfig.EnvoyMetricsServiceAddress }}" -{{- end }} - - --proxyAdminPort - - "{{ .ProxyConfig.ProxyAdminPort }}" - {{ if gt .ProxyConfig.Concurrency 0 -}} - - --concurrency - - "{{ .ProxyConfig.Concurrency }}" - {{ end -}} - - --controlPlaneAuthPolicy - - "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}" -{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} - - --statusPort - - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" - - --applicationPorts - - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" -{{- end }} -{{- if .Values.global.trustDomain }} - - --trust-domain={{ .Values.global.trustDomain }} -{{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP -{{ if eq .Values.global.proxy.tracer "datadog" }} - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP -{{ end }} - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - - name: ISTIO_META_INCLUDE_INBOUND_PORTS - value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} - {{ if .ObjectMeta.Labels }} - - name: ISTIO_METAJSON_LABELS - value: | - {{ toJSON .ObjectMeta.Labels }} - {{ end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.sds.customTokenDirectory }} - - name: ISTIO_META_SDS_TOKEN_PATH - value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" - {{- end }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if .Values.global.proxy.privileged }} - privileged: true - {{- end }} - {{- if ne .Values.global.proxy.enableCoreDump true }} - readOnlyRootFilesystem: true - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - capabilities: - add: - - NET_ADMIN - runAsGroup: 1337 - {{ else -}} - {{ if and .Values.global.sds.enabled .Values.global.sds.useTrustworthyJwt }} - runAsGroup: 1337 - {{- end }} - runAsUser: 1337 - {{- end }} - resources: - {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end}} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{ else -}} -{{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 4 }} -{{- end }} - {{ end -}} - volumeMounts: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if .Values.global.sds.enabled }} - - mountPath: /var/run/sds - name: sds-uds-path - readOnly: true - {{- if .Values.global.sds.useTrustworthyJwt }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.sds.customTokenDirectory }} - - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" - name: custom-sds-token - readOnly: true - {{- end }} - {{- else }} - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{- end }} -volumes: -{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} -- name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} -{{- end }} -- emptyDir: - medium: Memory - name: istio-envoy -{{- if .Values.global.sds.enabled }} -- name: sds-uds-path - hostPath: - path: /var/run/sds -{{- if .Values.global.sds.customTokenDirectory }} -- name: custom-sds-token - secret: - secretName: sdstokensecret -{{- end }} -{{- if .Values.global.sds.useTrustworthyJwt }} -- name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.trustDomain }} -{{- end }} -{{- else }} -- name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} -- name: "{{ $index }}" - {{ toYaml $value | indent 2 }} - {{ end }} - {{ end }} -{{- end }} -{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} -- name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert -{{- end }} -{{- if .Values.global.podDNSSearchNamespaces }} -dnsConfig: - searches: - {{- range .Values.global.podDNSSearchNamespaces }} - - {{ render . }} - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/requirements.yaml b/manager/manifests/istio/requirements.yaml deleted file mode 100644 index 939c49bfc7..0000000000 --- a/manager/manifests/istio/requirements.yaml +++ /dev/null @@ -1,40 +0,0 @@ -dependencies: - - name: sidecarInjectorWebhook - version: 1.2.2 - condition: sidecarInjectorWebhook.enabled - - name: security - version: 1.2.2 - condition: security.enabled - - name: gateways - version: 1.2.2 - condition: gateways.enabled - - name: mixer - version: 1.2.2 - condition: or mixer.policy.enabled mixer.telemetry.enabled - - name: nodeagent - version: 1.2.2 - condition: nodeagent.enabled - - name: pilot - version: 1.2.2 - condition: pilot.enabled - - name: grafana - version: 1.2.2 - condition: grafana.enabled - - name: prometheus - version: 1.2.2 - condition: prometheus.enabled - - name: tracing - version: 1.2.2 - condition: tracing.enabled - - name: galley - version: 1.2.2 - condition: galley.enabled - - name: kiali - version: 1.2.2 - condition: kiali.enabled - - name: istiocoredns - version: 1.2.2 - condition: istiocoredns.enabled - - name: certmanager - version: 1.2.2 - condition: certmanager.enabled diff --git a/manager/manifests/istio/templates/NOTES.txt b/manager/manifests/istio/templates/NOTES.txt deleted file mode 100644 index be17dcd0be..0000000000 --- a/manager/manifests/istio/templates/NOTES.txt +++ /dev/null @@ -1,29 +0,0 @@ -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - -To get started running application with Istio, execute the following steps: - -{{- if index .Values "sidecarInjectorWebhook" "enabled" }} -1. Label namespace that application object will be deployed to by the following command (take default namespace as an example) - -$ kubectl label namespace default istio-injection=enabled -$ kubectl get namespace -L istio-injection - -2. Deploy your applications - -$ kubectl apply -f .yaml -{{- else }} -1. Download the latest release package to get sidecar injection tool - -$ curl -L https://git.io/getLatestIstio | sh - -$ mv istio-* istio-latest -$ export PATH="$PATH:$PWD/istio-latest/bin" - -2. Deploy your application by manually injecting envoy sidecar with `istioctl kube-inject` - -$ kubectl apply -f <(istioctl kube-inject -f .yaml) -{{- end }} - -For more information on running Istio, visit: -https://istio.io/ diff --git a/manager/manifests/istio/templates/_affinity.tpl b/manager/manifests/istio/templates/_affinity.tpl deleted file mode 100644 index 333eb9a25d..0000000000 --- a/manager/manifests/istio/templates/_affinity.tpl +++ /dev/null @@ -1,93 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{- define "nodeaffinity" }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .Values.global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .Values.global.defaultNodeSelector .Values.nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - - key: {{ $key }} - operator: In - values: - - {{ $val }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .Values.global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - {{ $key }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .Values.podAntiAffinityLabelSelector .Values.podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .Values.podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if or .Values.podAntiAffinityTermLabelSelector}} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .Values.podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .Values.podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/templates/_helpers.tpl b/manager/manifests/istio/templates/_helpers.tpl deleted file mode 100644 index f79bea4157..0000000000 --- a/manager/manifests/istio/templates/_helpers.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "istio.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "istio.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "istio.chart" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a fully qualified configmap name. -*/}} -{{- define "istio.configmap.fullname" -}} -{{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Configmap checksum. -*/}} -{{- define "istio.configmap.checksum" -}} -{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}} -{{- end -}} diff --git a/manager/manifests/istio/templates/_podDisruptionBudget.tpl b/manager/manifests/istio/templates/_podDisruptionBudget.tpl deleted file mode 100644 index ebb86068cc..0000000000 --- a/manager/manifests/istio/templates/_podDisruptionBudget.tpl +++ /dev/null @@ -1,3 +0,0 @@ -{{- define "podDisruptionBudget.spec" }} - minAvailable: 1 -{{- end }} diff --git a/manager/manifests/istio/templates/clusterrole.yaml b/manager/manifests/istio/templates/clusterrole.yaml deleted file mode 100644 index b92c9ef8b4..0000000000 --- a/manager/manifests/istio/templates/clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-reader -rules: - - apiGroups: [''] - resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] - verbs: ['get', 'watch', 'list'] - - apiGroups: ["extensions", "apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] diff --git a/manager/manifests/istio/templates/clusterrolebinding.yaml b/manager/manifests/istio/templates/clusterrolebinding.yaml deleted file mode 100644 index 827601b3dd..0000000000 --- a/manager/manifests/istio/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-multi - labels: - chart: {{ .Chart.Name }}-{{ .Chart.Version }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader -subjects: -- kind: ServiceAccount - name: istio-multi - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/templates/configmap.yaml b/manager/manifests/istio/templates/configmap.yaml deleted file mode 100644 index 9f4801dbb3..0000000000 --- a/manager/manifests/istio/templates/configmap.yaml +++ /dev/null @@ -1,273 +0,0 @@ -{{- if or .Values.pilot.enabled .Values.global.istioRemote }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istio.name" . }} - chart: {{ template "istio.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - mesh: |- - # Set the following variable to true to disable policy checks by the Mixer. - # Note that metrics will still be reported to the Mixer. - {{- if .Values.mixer.policy.enabled }} - disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} - {{- else }} - disablePolicyChecks: true - {{- end }} - - # Set enableTracing to false to disable request tracing. - enableTracing: {{ .Values.global.enableTracing }} - - # Set accessLogFile to empty string to disable access log. - accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" - - # If accessLogEncoding is TEXT, value will be used directly as the log format - # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" - # If AccessLogEncoding is JSON, value will be parsed as map[string]string - # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' - # Leave empty to use default log format - accessLogFormat: {{ .Values.global.proxy.accessLogFormat | quote }} - - # Set accessLogEncoding to JSON or TEXT to configure sidecar access log - accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}' - - {{- if .Values.global.istioRemote }} - - {{- if .Values.global.remotePolicyAddress }} - {{- if .Values.global.createRemoteSvcEndpoints }} - mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 - {{- else }} - mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004 - {{- end }} - {{- end }} - {{- if .Values.global.remoteTelemetryAddress }} - {{- if .Values.global.createRemoteSvcEndpoints }} - mixerReportServer: istio-telemetry.{{ .Release.Namespace }}:15004 - {{- else }} - mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 - {{- end }} - {{- end }} - - {{- else }} - - {{- if .Values.mixer.policy.enabled }} - {{- if .Values.global.controlPlaneSecurityEnabled }} - mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 - {{- else }} - mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 - {{- end }} - {{- end }} - {{- if .Values.mixer.telemetry.enabled }} - {{- if .Values.global.controlPlaneSecurityEnabled }} - mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 - {{- else }} - mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 - {{- end }} - {{- end }} - - {{- end }} - - {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} - # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. - # Default is false which means the traffic is denied when the client is unable to connect to Mixer. - policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} - {{- end }} - - {{- if .Values.gateways.enabled }} - # Let Pilot give ingresses the public IP of the Istio ingressgateway - ingressService: istio-ingressgateway - {{- end }} - - # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS - connectTimeout: 10s - - # DNS refresh rate for Envoy clusters of type STRICT_DNS - dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }} - - # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get - # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. - sdsUdsPath: {{ .Values.global.sds.udsPath }} - - # This flag is used by secret discovery service(SDS). - # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount - # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which - # will be used to generate key/cert eventually. This isn't supported for non-k8s case. - enableSdsTokenMount: {{ .Values.global.sds.useTrustworthyJwt }} - - # This flag is used by secret discovery service(SDS). - # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' - # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) - # and pass to sds server, which will be used to request key/cert eventually. - # this flag is ignored if enableSdsTokenMount is set. - # This isn't supported for non-k8s case. - sdsUseK8sSaJwt: {{ .Values.global.sds.useNormalJwt }} - - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: {{ .Values.global.trustDomain }} - - # Set the default behavior of the sidecar for handling outbound traffic from the application: - # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no - # services or ServiceEntries for the destination port - # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well - # as those defined through ServiceEntries - outboundTrafficPolicy: - mode: {{ .Values.global.outboundTrafficPolicy.mode }} - - localityLbSetting: -{{ toYaml .Values.global.localityLbSetting | indent 6 }} - - # The namespace to treat as the administrative root namespace for istio - # configuration. - {{- if .Values.global.configRootNamespace }} - rootNamespace: {{ .Values.global.configRootNamespace }} - {{- else }} - rootNamespace: {{ .Release.Namespace }} - {{- end }} - - {{- if .Values.global.defaultConfigVisibilitySettings }} - defaultServiceExportTo: - {{- range .Values.global.defaultConfigVisibilitySettings }} - - {{ . | quote }} - {{- end }} - defaultVirtualServiceExportTo: - {{- range .Values.global.defaultConfigVisibilitySettings }} - - {{ . | quote }} - {{- end }} - defaultDestinationRuleExportTo: - {{- range .Values.global.defaultConfigVisibilitySettings }} - - {{ . | quote }} - {{- end }} - {{- end }} - - {{- if $.Values.global.useMCP }} - configSources: - - address: istio-galley.{{ $.Release.Namespace }}.svc:9901 - {{- if $.Values.global.controlPlaneSecurityEnabled}} - tlsSettings: - mode: ISTIO_MUTUAL - {{- end }} - {{- end }} - - defaultConfig: - # - # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters - # defined in Envoy's configuration file - connectTimeout: 10s - # - ### ADVANCED SETTINGS ############# - # Where should envoy's configuration be stored in the istio-proxy container - configPath: "/etc/istio/proxy" - binaryPath: "/usr/local/bin/envoy" - # The pseudo service name used for Envoy. - serviceCluster: istio-proxy - # These settings that determine how long an old Envoy - # process should be kept alive after an occasional reload. - drainDuration: 45s - parentShutdownDuration: 1m0s - # - # The mode used to redirect inbound connections to Envoy. This setting - # has no effect on outbound traffic: iptables REDIRECT is always used for - # outbound connections. - # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. - # The "REDIRECT" mode loses source addresses during redirection. - # If "TPROXY", use iptables TPROXY to redirect to Envoy. - # The "TPROXY" mode preserves both the source and destination IP - # addresses and ports, so that they can be used for advanced filtering - # and manipulation. - # The "TPROXY" mode also configures the sidecar to run with the - # CAP_NET_ADMIN capability, which is required to use TPROXY. - #interceptionMode: REDIRECT - # - # Port where Envoy listens (on local host) for admin commands - # You can exec into the istio-proxy container in a pod and - # curl the admin port (curl http://localhost:15000/) to obtain - # diagnostic information from Envoy. See - # https://lyft.github.io/envoy/docs/operations/admin.html - # for more details - proxyAdminPort: 15000 - # - # Set concurrency to a specific number to control the number of Proxy worker threads. - # If set to 0 (default), then start worker thread for each CPU thread/core. - concurrency: {{ .Values.global.proxy.concurrency }} - # - {{- if eq .Values.global.proxy.tracer "lightstep" }} - tracing: - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - # Whether communication with the Satellite pool should be secure - secure: {{ .Values.global.tracer.lightstep.secure }} - # Path to the file containing the cacert to use when verifying TLS - cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - tracing: - zipkin: - # Address of the Zipkin collector - {{- if .Values.global.tracer.zipkin.address }} - address: {{ .Values.global.tracer.zipkin.address }} - {{- else if .Values.global.remoteZipkinAddress }} - address: {{ .Values.global.remoteZipkinAddress }}:9411 - {{- else }} - address: zipkin.{{ .Release.Namespace }}:9411 - {{- end }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - tracing: - datadog: - # Address of the Datadog Agent - address: {{ .Values.global.tracer.datadog.address }} - {{- end }} - - {{- if .Values.global.proxy.envoyStatsd.enabled }} - # - # Statsd metrics collector converts statsd metrics into Prometheus metrics. - statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} - {{- end }} - - {{- if .Values.global.proxy.envoyMetricsService.enabled }} - # - # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API. - envoyMetricsServiceAddress: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }} - {{- end}} - - {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }} - {{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }} - {{- if .Values.global.controlPlaneSecurityEnabled }} - # - # Mutual TLS authentication between sidecars and istio control plane. - controlPlaneAuthPolicy: MUTUAL_TLS - # - # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} - discoveryAddress: {{ $defPilotHostname }}:15011 - {{- else }} - discoveryAddress: {{ $pilotAddress }}:15011 - {{- end }} - {{- else }} - # - # Mutual TLS authentication between sidecars and istio control plane. - controlPlaneAuthPolicy: NONE - # - # Address where istio Pilot service is running - {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} - discoveryAddress: {{ $defPilotHostname }}:15010 - {{- else }} - discoveryAddress: {{ $pilotAddress }}:15010 - {{- end }} - {{- end }} - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | indent 6 }} - {{- else }} - networks: {} - {{- end }} -{{- end }} diff --git a/manager/manifests/istio/templates/endpoints.yaml b/manager/manifests/istio/templates/endpoints.yaml deleted file mode 100644 index 81b8218536..0000000000 --- a/manager/manifests/istio/templates/endpoints.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} -apiVersion: v1 -kind: Endpoints -metadata: - name: istio-pilot - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15003 - name: http-old-discovery # mTLS or non-mTLS depending on auth setting - - port: 15005 - name: https-discovery # always mTLS - - port: 15007 - name: http-discovery # always plain-text - - port: 15010 - name: grpc-xds # direct - - port: 15011 - name: https-xds # mTLS or non-mTLS depending on auth setting - - port: 8080 - name: http-legacy-discovery # direct - - port: 15014 - name: http-monitoring -{{- end }} -{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: istio-policy - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePolicyAddress }} - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-monitoring - port: 15014 -{{- end }} -{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: istio-telemetry - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remoteTelemetryAddress }} - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-monitoring - port: 15014 - - name: prometheus - port: 42422 -{{- end }} diff --git a/manager/manifests/istio/templates/install-custom-resources.sh.tpl b/manager/manifests/istio/templates/install-custom-resources.sh.tpl deleted file mode 100644 index a5525a1391..0000000000 --- a/manager/manifests/istio/templates/install-custom-resources.sh.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{ define "install-custom-resources.sh.tpl" }} -#!/bin/sh - -set -x - -if [ "$#" -ne "1" ]; then - echo "first argument should be path to custom resource yaml" - exit 1 -fi - -pathToResourceYAML=${1} - -kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null -if [ "$?" -eq 0 ]; then - echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" - while true; do - kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null - if [ "$?" -eq 0 ]; then - break - fi - sleep 1 - done - kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley - if [ "$?" -ne 0 ]; then - echo "istio-galley deployment rollout status check failed" - exit 1 - fi - echo "istio-galley deployment ready for configuration validation" -fi -sleep 5 -kubectl apply -f ${pathToResourceYAML} -{{ end }} diff --git a/manager/manifests/istio/templates/service.yaml b/manager/manifests/istio/templates/service.yaml deleted file mode 100644 index 732cdefd20..0000000000 --- a/manager/manifests/istio/templates/service.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} -apiVersion: v1 -kind: Service -metadata: - name: istio-pilot - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15003 - name: http-old-discovery # mTLS or non-mTLS depending on auth setting - - port: 15005 - name: https-discovery # always mTLS - - port: 15007 - name: http-discovery # always plain-text - - port: 15010 - name: grpc-xds # direct - - port: 15011 - name: https-xds # mTLS or non-mTLS depending on auth setting - - port: 8080 - name: http-legacy-discovery # direct - - port: 15014 - name: http-monitoring - clusterIP: None -{{- end }} -{{- if and .Values.global.remotePolicyAddress .Values.global.createRemoteSvcEndpoints }} ---- -apiVersion: v1 -kind: Service -metadata: - name: istio-policy - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-monitoring - port: 15014 - clusterIP: None -{{- end }} -{{- if and .Values.global.remoteTelemetryAddress .Values.global.createRemoteSvcEndpoints }} ---- -apiVersion: v1 -kind: Service -metadata: - name: istio-telemetry - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-monitoring - port: 15014 - - name: prometheus - port: 42422 - clusterIP: None -{{- end }} diff --git a/manager/manifests/istio/templates/serviceaccount.yaml b/manager/manifests/istio/templates/serviceaccount.yaml deleted file mode 100644 index e52d9eb9c3..0000000000 --- a/manager/manifests/istio/templates/serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-multi - namespace: {{ .Release.Namespace }} diff --git a/manager/manifests/istio/templates/sidecar-injector-configmap.yaml b/manager/manifests/istio/templates/sidecar-injector-configmap.yaml deleted file mode 100644 index 5493b05d58..0000000000 --- a/manager/manifests/istio/templates/sidecar-injector-configmap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "istio.name" . }} - chart: {{ template "istio.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - istio: sidecar-injector -data: - values: |- - {{ .Values | toJson }} - - config: |- - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | indent 6 }} - template: |- -{{ .Files.Get "files/injection-template.yaml" | indent 6 }} -{{- end }} diff --git a/manager/uninstall_cortex.sh b/manager/uninstall_cortex.sh index 3e4c0eba44..a9f3667cd0 100755 --- a/manager/uninstall_cortex.sh +++ b/manager/uninstall_cortex.sh @@ -32,5 +32,7 @@ kubectl delete --ignore-not-found=true customresourcedefinition scheduledsparkap kubectl delete --ignore-not-found=true customresourcedefinition sparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 kubectl delete --ignore-not-found=true namespace istio-system >/dev/null 2>&1 kubectl delete --ignore-not-found=true namespace $CORTEX_NAMESPACE >/dev/null 2>&1 +helm del --purge istio-init 2>&1 +helm del --purge istio 2>&1 echo "✓ Uninstalled Cortex" From 6f5cc35109c572ea689bdd294d3b38eb457a7a68 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 14:36:20 -0400 Subject: [PATCH 25/68] add back space --- pkg/workloads/cortex/tf_api/api.py | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/workloads/cortex/tf_api/api.py b/pkg/workloads/cortex/tf_api/api.py index 0ce5231850..539445d19e 100644 --- a/pkg/workloads/cortex/tf_api/api.py +++ b/pkg/workloads/cortex/tf_api/api.py @@ -441,6 +441,7 @@ def validate_model_dir(model_dir): def start(args): ctx = Context(s3_path=args.context, cache_dir=args.cache_dir, workload_id=args.workload_id) + api = ctx.apis_id_map[args.api] local_cache["api"] = api local_cache["ctx"] = ctx From 3835a8cf5feabe6600fc8df709dc8137896d60bf Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 14:39:35 -0400 Subject: [PATCH 26/68] add back eks commands --- cortex.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cortex.sh b/cortex.sh index 6f4c205685..ca7666d0f3 100755 --- a/cortex.sh +++ b/cortex.sh @@ -427,7 +427,7 @@ if [ "$arg1" = "install" ]; then show_help exit 1 elif [ "$arg2" = "" ]; then - prompt_for_telemetry && install_cortex && info + prompt_for_telemetry && install_eks && install_cortex && info elif [ "$arg2" = "cli" ]; then install_cli elif [ "$arg2" = "" ]; then @@ -445,7 +445,7 @@ elif [ "$arg1" = "uninstall" ]; then show_help exit 1 elif [ "$arg2" = "" ]; then - uninstall_cortex + uninstall_cortex && uninstall_eks elif [ "$arg2" = "cli" ]; then uninstall_cli elif [ "$arg2" = "" ]; then From 240d8a872d3e5d107046861b13c266ecc4f28037 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 24 Jul 2019 14:41:56 -0400 Subject: [PATCH 27/68] remove helm uninstall lines --- manager/uninstall_cortex.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/manager/uninstall_cortex.sh b/manager/uninstall_cortex.sh index a9f3667cd0..3e4c0eba44 100755 --- a/manager/uninstall_cortex.sh +++ b/manager/uninstall_cortex.sh @@ -32,7 +32,5 @@ kubectl delete --ignore-not-found=true customresourcedefinition scheduledsparkap kubectl delete --ignore-not-found=true customresourcedefinition sparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 kubectl delete --ignore-not-found=true namespace istio-system >/dev/null 2>&1 kubectl delete --ignore-not-found=true namespace $CORTEX_NAMESPACE >/dev/null 2>&1 -helm del --purge istio-init 2>&1 -helm del --purge istio 2>&1 echo "✓ Uninstalled Cortex" From 175e7750c38a8999d4580f0edec002e7d23ca1de Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Thu, 25 Jul 2019 07:50:52 -0400 Subject: [PATCH 28/68] clean up --- manager/install_cortex.sh | 3 +- manager/manifests/istio.yaml | 464 +---------------------------------- 2 files changed, 2 insertions(+), 465 deletions(-) diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index d4049b1cc7..648697349d 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -178,8 +178,7 @@ envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null kubectl create namespace istio-system kubectl create -n istio-system secret tls istio-customgateway-certs --key cortex.example.com/3_application/private/cortex.example.com.key.pem --cert cortex.example.com/3_application/certs/cortex.example.com.cert.pem helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - -sleep 20 -helm template manifests/istio --values manifests/istio.yaml --name istio --namespace istio-system | kubectl apply -f - +sleep 60 && helm template manifests/istio --values manifests/istio.yaml --name istio --namespace istio-system | kubectl apply -f - envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/istio.yaml b/manager/manifests/istio.yaml index ce93ecc8c4..2a2c996203 100644 --- a/manager/manifests/istio.yaml +++ b/manager/manifests/istio.yaml @@ -47,18 +47,6 @@ gateways: - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls - - port: 15029 - targetPort: 15029 - name: http2-kiali - - port: 15030 - targetPort: 15030 - name: http2-prometheus - - port: 15031 - targetPort: 15031 - name: http2-grafana - - port: 15032 - targetPort: 15032 - name: http2-tracing tracing: enabled: true secretVolumes: @@ -99,18 +87,6 @@ gateways: - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls - - port: 15029 - targetPort: 15029 - name: http2-kiali - - port: 15030 - targetPort: 15030 - name: http2-prometheus - - port: 15031 - targetPort: 15031 - name: http2-grafana - - port: 15032 - targetPort: 15032 - name: http2-tracing tracing: enabled: true secretVolumes: @@ -121,10 +97,6 @@ gateways: secretName: istio-customgateway-ca-certs mountPath: /etc/istio/customgateway-ca-certs -# -# sidecar-injector webhook configuration, refer to the -# charts/sidecarInjectorWebhook/values.yaml for detailed configuration -# sidecarInjectorWebhook: enabled: true alwaysInjectSelector: @@ -133,473 +105,39 @@ sidecarInjectorWebhook: - matchLabels: workloadType: operator - -# -# galley configuration, refer to charts/galley/values.yaml -# for detailed configuration -# galley: enabled: true -# -# mixer configuration -# -# @see charts/mixer/values.yaml, it takes precedence mixer: policy: - # if policy is enabled the global.disablePolicyChecks has affect. enabled: false telemetry: enabled: false -# -# pilot configuration -# -# @see charts/pilot/values.yaml + pilot: enabled: true -# -# security configuration -# security: enabled: true -# -# nodeagent configuration -# nodeagent: enabled: false -# -# addon grafana configuration -# grafana: enabled: false -# -# addon prometheus configuration -# prometheus: enabled: false -# -# addon jaeger tracing configuration -# tracing: enabled: false -# -# addon kiali tracing configuration -# kiali: enabled: false -# -# addon certmanager configuration -# -certmanager: - enabled: false - -# -# Istio CNI plugin enabled -# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately. -# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect -# settings for the istio-proxy. -# -istio_cni: - enabled: false - -# addon Istio CoreDNS configuration -# -istiocoredns: - enabled: false - -# Common settings used among istio subcharts. global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly hub: docker.io/istio - - # Default tag for Istio images. tag: 1.2.2 - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # monitoring port used by mixer, pilot, galley - monitoringPort: 15014 - - k8sIngress: - enabled: false - # Gateway used for k8s Ingress resources. By default it is - # using 'istio:ingressgateway' that will be installed by setting - # 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' - # flags to true. - gatewayName: ingressgateway - # enableHttps will add port 443 on the ingress. - # It REQUIRES that the certificates are installed in the - # expected secrets - enabling this option without certificates - # will result in LDS rejection and the ingress will not work. - enableHttps: false - proxy: - image: proxyv2 - - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Controls number of Proxy worker threads. - # If set to 0 (default), then start worker thread for each CPU thread/core. - concurrency: 2 - - # Configures the access log for each sidecar. - # Options: - # "" - disables access log - # "/dev/stdout" - enables access log - accessLogFile: "" - - # Configure how and what fields are displayed in sidecar access log. Setting to - # empty string will result in default log format - accessLogFormat: "" - - # Configure the access log for sidecar to JSON or TEXT. - accessLogEncoding: TEXT - - # Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: "" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. - componentLogLevel: "" - - # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS - # This must be given it terms of seconds. For example, 300s is valid but 5m is invalid. - dnsRefreshRate: 300s - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 1 - - # The period between readiness probes. - readinessPeriodSeconds: 2 - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 30 - - # istio egress capture whitelist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - excludeOutboundPorts: "" - - # pod internal interfaces - kubevirtInterfaces: "" - - # istio ingress capture whitelist - # examples: - # Redirect no inbound traffic to Envoy: --includeInboundPorts="" - # Redirect all inbound traffic to Envoy: --includeInboundPorts="*" - # Redirect only selected ports: --includeInboundPorts="80,8080" - includeInboundPorts: "*" - excludeInboundPorts: "" - - # This controls the 'policy' in the sidecar injector. autoInject: disabled - - # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument - # would be :). - # Disabled by default. - # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. - envoyStatsd: - # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. - enabled: false - host: # example: statsd-svc.istio-system - port: # example: 9125 - - # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector - # via the Metrics Service gRPC API. This contains detailed stats information emitted directly - # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also - # available to scrape via the Envoy admin port at either /stats or /stats/prometheus. - # - # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto - # for details about Envoy's Metrics Service API. - # - # Disabled by default. - envoyMetricsService: - enabled: false - host: # example: metrics-service.istio-system - port: # example: 15000 - - # Specify which tracer to use. One of: lightstep, zipkin, datadog - tracer: "zipkin" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxy_init - - # imagePullPolicy is applied to istio control plane components. - # local tests require IfNotPresent, to avoid uploading to dockerhub. - # TODO: Switch to Always as default, and override in the local tests. - imagePullPolicy: IfNotPresent - - # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are - # propagated, not recommended for tests. - controlPlaneSecurityEnabled: false - - # disablePolicyChecks disables mixer policy checks. - # if mixer.policy.enabled==true then disablePolicyChecks has affect. - # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. - disablePolicyChecks: true - - # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. - # Default is false which means the traffic is denied when the client is unable to connect to Mixer. - policyCheckFailOpen: false - - # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. - enableTracing: true - - # Configuration for each of the supported tracers - tracer: - # Configuration for envoy to send trace data to LightStep. - # Disabled by default. - # address: the : of the satellite pool - # accessToken: required for sending data to the pool - # secure: specifies whether data should be sent with TLS - # cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is - # required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination - # namespace with the key matching the base of the provided cacertPath and the value being the cacert itself. - # - lightstep: - address: "" # example: lightstep-satellite:443 - accessToken: "" # example: abcdefg1234567 - secure: true # example: true|false - cacertPath: "" # example: /etc/lightstep/cacert.pem - zipkin: - # Host:Port for reporting trace data in zipkin format. If not specified, will default to - # zipkin service (port 9411) in the same namespace as the other istio components. - address: "" - datadog: - # Host:Port for submitting traces to the Datadog agent. - address: "$(HOST_IP):8126" - - # Default mtls policy. If true, mtls between services will be enabled by default. - mtls: - # Default setting for service-to-service mtls. Can be set explicitly using - # destination rules or service annotations. - enabled: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: - # - private-registry-key - - # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: - amd64: 2 - s390x: 2 - ppc64le: 2 - - # Whether to restrict the applications namespace the controller manages; - # If not set, controller watches all namespaces - oneNamespace: false - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Whether to perform server-side validation of configuration. - configValidation: true - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global" - - # If set to true, the pilot and citadel mtls will be exposed on the - # ingress gateway - meshExpansion: - enabled: false - # If set to true, the pilot and citadel mtls and the plain text pilot ports - # will be exposed on an internal gateway - useILB: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # enable pod distruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - # Use the Mesh Control Protocol (MCP) for configuring Mixer and - # Pilot. Requires galley (`--set galley.enabled=true`). - useMCP: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - # Indicate the domain used in SPIFFE identity URL - # The default depends on the environment. - # kubernetes: cluster.local - # else: default dns domain - trustDomain: "" - - # Set the default behavior of the sidecar for handling outbound traffic from the application: - # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no - # services or ServiceEntries for the destination port - # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well - # as those defined through ServiceEntries - # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests - # to services outside of the mesh without any ServiceEntry. - # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY. - outboundTrafficPolicy: - mode: ALLOW_ANY - - # The namespace where globally shared configurations should be present. - # DestinationRules that apply to the entire mesh (e.g., enabling mTLS), - # default Sidecar configs, etc. should be added to this namespace. - # configRootNamespace: istio-config - - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - #defaultConfigVisibilitySettings: - #- '*' - - sds: - # SDS enabled. IF set to true, mTLS certificates for the sidecars will be - # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. - enabled: false - udsPath: "" - useTrustworthyJwt: false - useNormalJwt: false - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Specifies the global locality load balancing settings. - # Locality-weighted load balancing allows administrators to control the distribution of traffic to - # endpoints based on the localities of where the traffic originates and where it will terminate. - # Please set either failover or distribute configuration but not both. - # - # localityLbSetting: - # distribute: - # - from: "us-central1/*" - # to: - # "us-central1/*": 80 - # "us-central2/*": 20 - # - # localityLbSetting: - # failover: - # - from: us-east - # to: eu-west - # - from: us-west - # to: us-east - localityLbSetting: {} - - # Specifies whether helm test is enabled or not. - # This field is set to false by default, so 'helm template ...' - # will ignore the helm test yaml files when generating the template - enableHelmTest: false From 6487bdc198b8fb0b7a392735c91a08f6e5d77a5c Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Thu, 25 Jul 2019 15:32:20 -0400 Subject: [PATCH 29/68] clean up --- build/lint.sh | 2 -- go.mod | 1 - go.sum | 2 -- images/manager/Dockerfile | 22 +++++++++++++++------- manager/install_cortex.sh | 2 +- 5 files changed, 16 insertions(+), 13 deletions(-) diff --git a/build/lint.sh b/build/lint.sh index a060d44390..7477dcb9a1 100755 --- a/build/lint.sh +++ b/build/lint.sh @@ -64,8 +64,6 @@ output=$(cd "$ROOT" && find . -type f \ ! -path "./bin/*" \ ! -path "./.circleci/*" \ ! -path "./.git/*" \ -! -path "./manager/manifests/istio/*" \ -! -path "./manager/manifests/istio-init/*" \ ! -name LICENSE \ ! -name requirements.txt \ ! -name "go.*" \ diff --git a/go.mod b/go.mod index 2a78e49540..a9e8008d6c 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,6 @@ require ( github.com/gorilla/mux v1.7.3 github.com/gorilla/websocket v1.4.0 github.com/imdario/mergo v0.3.7 // indirect - github.com/istio/api v0.0.0-20190711203913-5c33284f6906 github.com/json-iterator/go v1.1.6 // indirect github.com/mitchellh/go-homedir v1.1.0 github.com/pkg/errors v0.8.1 diff --git a/go.sum b/go.sum index 8a2bfe7631..75719433b2 100644 --- a/go.sum +++ b/go.sum @@ -48,8 +48,6 @@ github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/istio/api v0.0.0-20190711203913-5c33284f6906 h1:wvePzr0ybDl+16mLMDKdRTC1T4t50DXvzw3YMOwydaM= -github.com/istio/api v0.0.0-20190711203913-5c33284f6906/go.mod h1:OzoozMDGP4fCnX+BzpeubbnZuK2aErt/1OxNAZ4w1nM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE= diff --git a/images/manager/Dockerfile b/images/manager/Dockerfile index 02d85ec441..1268b259ef 100644 --- a/images/manager/Dockerfile +++ b/images/manager/Dockerfile @@ -7,7 +7,7 @@ ENV PATH /root/.local/bin:$PATH RUN pip3 install awscli --upgrade --user && \ rm -rf /root/.cache/pip* -RUN apk add --no-cache bash curl gettext jq git openssl pwgen +RUN apk add --no-cache bash curl gettext jq openssl pwgen RUN curl --location "https://github.com/weaveworks/eksctl/releases/download/0.1.40/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp && \ mv /tmp/eksctl /usr/local/bin @@ -25,15 +25,23 @@ COPY manager /root RUN curl -LO https://get.helm.sh/helm-v2.14.1-linux-amd64.tar.gz && \ tar -zxvf helm-v2.14.1-linux-amd64.tar.gz && \ chmod +x linux-amd64/helm && \ - mv linux-amd64/helm /usr/local/bin/helm + mv linux-amd64/helm /usr/local/bin/helm && \ + rm -rf linux-amd64 && \ + rm helm-v2.14.1-linux-amd64.tar.gz + +RUN PW=$(pwgen -Bs1 12) && \ + WEBSITE=cortex.example.com && \ + openssl req \ + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=$WEBSITE" \ + -newkey rsa:2048 -nodes -keyout $WEBSITE.key \ + -x509 -days 3650 -out $WEBSITE.crt + + -RUN git clone https://github.com/nicholasjackson/mtls-go-example && \ - cd /root/mtls-go-example && \ - PW=$(pwgen -Bs1 12) && yes | ./generate.sh cortex.example.com $PW && \ - mkdir ../cortex.example.com && mv 1_root 2_intermediate 3_application 4_client ../cortex.example.com RUN curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.2.2 sh - && \ mv ./istio-1.2.2/install/kubernetes/helm/istio ./manifests/ && \ - mv ./istio-1.2.2/install/kubernetes/helm/istio-init ./manifests/ + mv ./istio-1.2.2/install/kubernetes/helm/istio-init ./manifests/ && \ + rm -rf ./istio-1.2.2 ENTRYPOINT ["/bin/bash"] diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 648697349d..a461dfbea0 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -176,7 +176,7 @@ envsubst < manifests/spark.yaml | kubectl apply -f - >/dev/null envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null kubectl create namespace istio-system -kubectl create -n istio-system secret tls istio-customgateway-certs --key cortex.example.com/3_application/private/cortex.example.com.key.pem --cert cortex.example.com/3_application/certs/cortex.example.com.cert.pem +kubectl create -n istio-system secret tls istio-customgateway-certs --key cortex.example.com.key --cert cortex.example.com.crt helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - sleep 60 && helm template manifests/istio --values manifests/istio.yaml --name istio --namespace istio-system | kubectl apply -f - From ee96c71a2a7c0662cdc025d3f4f62a9e650a377c Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Thu, 25 Jul 2019 22:27:20 -0400 Subject: [PATCH 30/68] clean up --- images/manager/Dockerfile | 12 +-- manager/install_cortex.sh | 2 - manager/manifests/operator.yaml | 3 +- pkg/lib/k8s/deployment.go | 1 - pkg/lib/k8s/ingress.go | 174 ++++++++++++++++++++++++++++++++ pkg/lib/k8s/k8s.go | 9 +- pkg/lib/k8s/virtual_service.go | 1 + 7 files changed, 187 insertions(+), 15 deletions(-) create mode 100644 pkg/lib/k8s/ingress.go diff --git a/images/manager/Dockerfile b/images/manager/Dockerfile index 1268b259ef..a88abdba78 100644 --- a/images/manager/Dockerfile +++ b/images/manager/Dockerfile @@ -36,12 +36,10 @@ RUN PW=$(pwgen -Bs1 12) && \ -newkey rsa:2048 -nodes -keyout $WEBSITE.key \ -x509 -days 3650 -out $WEBSITE.crt - - - -RUN curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.2.2 sh - && \ - mv ./istio-1.2.2/install/kubernetes/helm/istio ./manifests/ && \ - mv ./istio-1.2.2/install/kubernetes/helm/istio-init ./manifests/ && \ - rm -rf ./istio-1.2.2 +RUN ISTIO_VERSION=1.2.2 && curl -L "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz" | tar xz && \ + ls && \ + mv ./istio-$ISTIO_VERSION/install/kubernetes/helm/istio ./manifests/ && \ + mv ./istio-$ISTIO_VERSION/install/kubernetes/helm/istio-init ./manifests/ && \ + rm -rf ./$ISTIO_VERSION ENTRYPOINT ["/bin/bash"] diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index a461dfbea0..8a5501a431 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -110,7 +110,6 @@ function validate_cortex() { if [ "$operator_load_balancer" != "ready" ]; then out=$(kubectl -n=istio-system get service operator-ingressgateway -o json | tr -d '[:space:]') if [[ $out != *'"loadBalancer":{"ingress":[{"'* ]]; then - echo "operator loadbalancer not ready" continue fi operator_load_balancer="ready" @@ -119,7 +118,6 @@ function validate_cortex() { if [ "$api_load_balancer" != "ready" ]; then out=$(kubectl -n=istio-system get service apis-ingressgateway -o json | tr -d '[:space:]') if [[ $out != *'"loadBalancer":{"ingress":[{"'* ]]; then - echo "api loadbalancer not ready" continue fi api_load_balancer="ready" diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index ed8dadc3b0..511f0c058b 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -23,6 +23,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: operator + namespace: $CORTEX_NAMESPACE subjects: - kind: ServiceAccount name: operator @@ -91,10 +92,8 @@ metadata: namespace: $CORTEX_NAMESPACE name: operator labels: - workloadID: operator workloadType: operator app: operator - service: operator spec: selector: workloadID: operator diff --git a/pkg/lib/k8s/deployment.go b/pkg/lib/k8s/deployment.go index 00b892a384..bdd4dcb704 100644 --- a/pkg/lib/k8s/deployment.go +++ b/pkg/lib/k8s/deployment.go @@ -33,7 +33,6 @@ var deploymentTypeMeta = kmeta.TypeMeta{ } type DeploymentSpec struct { - Spec *DeploymentSpec Name string Namespace string Replicas int32 diff --git a/pkg/lib/k8s/ingress.go b/pkg/lib/k8s/ingress.go new file mode 100644 index 0000000000..56f5f77de3 --- /dev/null +++ b/pkg/lib/k8s/ingress.go @@ -0,0 +1,174 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package k8s + +import ( + kextensions "k8s.io/api/extensions/v1beta1" + kerrors "k8s.io/apimachinery/pkg/api/errors" + kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + intstr "k8s.io/apimachinery/pkg/util/intstr" + + "github.com/cortexlabs/cortex/pkg/lib/errors" +) + +var ingressTypeMeta = kmeta.TypeMeta{ + APIVersion: "extensions/v1beta1", + Kind: "Ingress", +} + +type IngressSpec struct { + Name string + Namespace string + IngressClass string + ServiceName string + ServicePort int32 + Path string + Labels map[string]string +} + +func Ingress(spec *IngressSpec) *kextensions.Ingress { + if spec.Namespace == "" { + spec.Namespace = "default" + } + ingress := &kextensions.Ingress{ + TypeMeta: ingressTypeMeta, + ObjectMeta: kmeta.ObjectMeta{ + Name: spec.Name, + Namespace: spec.Namespace, + Annotations: map[string]string{ + "kubernetes.io/ingress.class": spec.IngressClass, + "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "https", + }, + Labels: spec.Labels, + }, + Spec: kextensions.IngressSpec{ + Rules: []kextensions.IngressRule{ + { + IngressRuleValue: kextensions.IngressRuleValue{ + HTTP: &kextensions.HTTPIngressRuleValue{ + Paths: []kextensions.HTTPIngressPath{ + { + Path: spec.Path, + Backend: kextensions.IngressBackend{ + ServiceName: spec.ServiceName, + ServicePort: intstr.IntOrString{ + IntVal: spec.ServicePort, + }, + }, + }, + }, + }, + }, + }, + }, + }, + } + return ingress +} + +func (c *Client) CreateIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { + ingress.TypeMeta = ingressTypeMeta + ingress, err := c.ingressClient.Create(ingress) + if err != nil { + return nil, errors.WithStack(err) + } + return ingress, nil +} + +func (c *Client) updateIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { + ingress.TypeMeta = ingressTypeMeta + ingress, err := c.ingressClient.Update(ingress) + if err != nil { + return nil, errors.WithStack(err) + } + return ingress, nil +} + +func (c *Client) ApplyIngress(ingress *kextensions.Ingress) (*kextensions.Ingress, error) { + existing, err := c.GetIngress(ingress.Name) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateIngress(ingress) + } + return c.updateIngress(ingress) +} + +func (c *Client) GetIngress(name string) (*kextensions.Ingress, error) { + ingress, err := c.ingressClient.Get(name, kmeta.GetOptions{}) + if kerrors.IsNotFound(err) { + return nil, nil + } + if err != nil { + return nil, errors.WithStack(err) + } + ingress.TypeMeta = ingressTypeMeta + return ingress, nil +} + +func (c *Client) DeleteIngress(name string) (bool, error) { + err := c.ingressClient.Delete(name, deleteOpts) + if kerrors.IsNotFound(err) { + return false, nil + } + if err != nil { + return false, errors.WithStack(err) + } + return true, nil +} + +func (c *Client) IngressExists(name string) (bool, error) { + ingress, err := c.GetIngress(name) + if err != nil { + return false, err + } + return ingress != nil, nil +} + +func (c *Client) ListIngresses(opts *kmeta.ListOptions) ([]kextensions.Ingress, error) { + if opts == nil { + opts = &kmeta.ListOptions{} + } + ingressList, err := c.ingressClient.List(*opts) + if err != nil { + return nil, errors.WithStack(err) + } + for i := range ingressList.Items { + ingressList.Items[i].TypeMeta = ingressTypeMeta + } + return ingressList.Items, nil +} + +func (c *Client) ListIngressesByLabels(labels map[string]string) ([]kextensions.Ingress, error) { + opts := &kmeta.ListOptions{ + LabelSelector: LabelSelector(labels), + } + return c.ListIngresses(opts) +} + +func (c *Client) ListIngressesByLabel(labelKey string, labelValue string) ([]kextensions.Ingress, error) { + return c.ListIngressesByLabels(map[string]string{labelKey: labelValue}) +} + +func IngressMap(ingresses []kextensions.Ingress) map[string]kextensions.Ingress { + ingressMap := map[string]kextensions.Ingress{} + for _, ingress := range ingresses { + ingressMap[ingress.Name] = ingress + } + return ingressMap +} diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index 18edaf3ec8..a4132efa2f 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -23,12 +23,13 @@ import ( kresource "k8s.io/apimachinery/pkg/api/resource" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/dynamic" + kclientdynamic "k8s.io/client-go/dynamic" kclientset "k8s.io/client-go/kubernetes" kclientapps "k8s.io/client-go/kubernetes/typed/apps/v1" kclientautoscaling "k8s.io/client-go/kubernetes/typed/autoscaling/v2beta2" kclientbatch "k8s.io/client-go/kubernetes/typed/batch/v1" kclientcore "k8s.io/client-go/kubernetes/typed/core/v1" + kclientextensions "k8s.io/client-go/kubernetes/typed/extensions/v1beta1" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" kclientrest "k8s.io/client-go/rest" kclientcmd "k8s.io/client-go/tools/clientcmd" @@ -53,8 +54,9 @@ type Client struct { istioServiceClient kclientcore.ServiceInterface configMapClient kclientcore.ConfigMapInterface deploymentClient kclientapps.DeploymentInterface - dynamicClient dynamic.Interface + dynamicClient kclientdynamic.Interface jobClient kclientbatch.JobInterface + ingressClient kclientextensions.IngressInterface hpaClient kclientautoscaling.HorizontalPodAutoscalerInterface Namespace string } @@ -80,7 +82,7 @@ func New(namespace string, inCluster bool) (*Client, error) { return nil, errors.Wrap(err, "kubeconfig") } - client.dynamicClient, err = dynamic.NewForConfig(client.RestConfig) + client.dynamicClient, err = kclientdynamic.NewForConfig(client.RestConfig) if err != nil { return nil, errors.Wrap(err, "kubeconfig") } @@ -90,6 +92,7 @@ func New(namespace string, inCluster bool) (*Client, error) { client.istioServiceClient = client.clientset.CoreV1().Services("istio-system") client.configMapClient = client.clientset.CoreV1().ConfigMaps(namespace) client.deploymentClient = client.clientset.AppsV1().Deployments(namespace) + client.ingressClient = client.clientset.ExtensionsV1beta1().Ingresses(namespace) client.jobClient = client.clientset.BatchV1().Jobs(namespace) client.hpaClient = client.clientset.AutoscalingV2beta2().HorizontalPodAutoscalers(namespace) return client, nil diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index bcedeaa436..e9b56fdfe6 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -18,6 +18,7 @@ package k8s import ( "github.com/cortexlabs/cortex/pkg/lib/errors" + kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" From b84d1e912d1d53e63f098b8b2c26b9523a805c5b Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 00:09:08 -0400 Subject: [PATCH 31/68] address comments --- pkg/lib/k8s/k8s.go | 1 - pkg/lib/k8s/service.go | 12 ------------ pkg/lib/k8s/virtual_service.go | 27 +++++++++++++------------- pkg/operator/config/config.go | 15 +++++++++----- pkg/operator/workloads/api_workload.go | 17 +++++----------- 5 files changed, 28 insertions(+), 44 deletions(-) diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index a4132efa2f..673fb4d4f9 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -89,7 +89,6 @@ func New(namespace string, inCluster bool) (*Client, error) { client.podClient = client.clientset.CoreV1().Pods(namespace) client.serviceClient = client.clientset.CoreV1().Services(namespace) - client.istioServiceClient = client.clientset.CoreV1().Services("istio-system") client.configMapClient = client.clientset.CoreV1().ConfigMaps(namespace) client.deploymentClient = client.clientset.AppsV1().Deployments(namespace) client.ingressClient = client.clientset.ExtensionsV1beta1().Ingresses(namespace) diff --git a/pkg/lib/k8s/service.go b/pkg/lib/k8s/service.go index 058fbbfae7..1025e9cbe3 100644 --- a/pkg/lib/k8s/service.go +++ b/pkg/lib/k8s/service.go @@ -111,18 +111,6 @@ func (c *Client) GetService(name string) (*kcore.Service, error) { return service, nil } -func (c *Client) GetIstioService(name string) (*kcore.Service, error) { - service, err := c.istioServiceClient.Get(name, kmeta.GetOptions{}) - if kerrors.IsNotFound(err) { - return nil, nil - } - if err != nil { - return nil, errors.WithStack(err) - } - service.TypeMeta = serviceTypeMeta - return service, nil -} - func (c *Client) DeleteService(name string) (bool, error) { err := c.serviceClient.Delete(name, deleteOpts) if kerrors.IsNotFound(err) { diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index e9b56fdfe6..b75b538767 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -21,8 +21,8 @@ import ( kerrors "k8s.io/apimachinery/pkg/api/errors" kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime/schema" + kunstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + kschema "k8s.io/apimachinery/pkg/runtime/schema" ) var ( @@ -31,13 +31,13 @@ var ( Kind: "VirtualService", } - virtualServiceGVR = schema.GroupVersionResource{ + virtualServiceGVR = kschema.GroupVersionResource{ Group: "networking.istio.io", Version: "v1alpha3", Resource: "virtualservices", } - virtualServiceGVK = schema.GroupVersionKind{ + virtualServiceGVK = kschema.GroupVersionKind{ Group: "networking.istio.io", Version: "v1alpha3", Kind: "VirtualService", @@ -51,11 +51,10 @@ type VirtualServiceSpec struct { ServiceName string ServicePort int32 Path string - Labels map[string]string } -func VirtualService(spec *VirtualServiceSpec) *unstructured.Unstructured { - virtualServceConfig := &unstructured.Unstructured{} +func VirtualService(spec *VirtualServiceSpec) *kunstructured.Unstructured { + virtualServceConfig := &kunstructured.Unstructured{} virtualServceConfig.SetGroupVersionKind(virtualServiceGVK) virtualServceConfig.SetName(spec.Name) virtualServceConfig.SetNamespace(spec.Namespace) @@ -92,7 +91,7 @@ func VirtualService(spec *VirtualServiceSpec) *unstructured.Unstructured { return virtualServceConfig } -func (c *Client) CreateVirtualService(spec *unstructured.Unstructured) (*unstructured.Unstructured, error) { +func (c *Client) CreateVirtualService(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { virtualService, err := c.dynamicClient. Resource(virtualServiceGVR). Namespace(spec.GetNamespace()). @@ -105,7 +104,7 @@ func (c *Client) CreateVirtualService(spec *unstructured.Unstructured) (*unstruc return virtualService, nil } -func (c *Client) UpdateVirtualService(spec *unstructured.Unstructured) (*unstructured.Unstructured, error) { +func (c *Client) UpdateVirtualService(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { virtualService, err := c.dynamicClient. Resource(virtualServiceGVR). Namespace(spec.GetNamespace()). @@ -118,7 +117,7 @@ func (c *Client) UpdateVirtualService(spec *unstructured.Unstructured) (*unstruc return virtualService, nil } -func (c *Client) ApplyVirtualService(spec *unstructured.Unstructured) (*unstructured.Unstructured, error) { +func (c *Client) ApplyVirtualService(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { existing, err := c.GetVirtualService(spec.GetName(), spec.GetNamespace()) if err != nil { return nil, err @@ -130,7 +129,7 @@ func (c *Client) ApplyVirtualService(spec *unstructured.Unstructured) (*unstruct return c.UpdateVirtualService(spec) } -func (c *Client) GetVirtualService(name, namespace string) (*unstructured.Unstructured, error) { +func (c *Client) GetVirtualService(name, namespace string) (*kunstructured.Unstructured, error) { virtualService, err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).Get(name, kmeta.GetOptions{ TypeMeta: virtualServiceTypeMeta, }) @@ -157,7 +156,7 @@ func (c *Client) DeleteVirtualService(name, namespace string) (bool, error) { return true, nil } -func (c *Client) ListVirtualServices(namespace string, opts *kmeta.ListOptions) ([]unstructured.Unstructured, error) { +func (c *Client) ListVirtualServices(namespace string, opts *kmeta.ListOptions) ([]kunstructured.Unstructured, error) { if opts == nil { opts = &kmeta.ListOptions{} } @@ -172,13 +171,13 @@ func (c *Client) ListVirtualServices(namespace string, opts *kmeta.ListOptions) return vsList.Items, nil } -func (c *Client) ListVirtualServicesByLabels(namespace string, labels map[string]string) ([]unstructured.Unstructured, error) { +func (c *Client) ListVirtualServicesByLabels(namespace string, labels map[string]string) ([]kunstructured.Unstructured, error) { opts := &kmeta.ListOptions{ LabelSelector: LabelSelector(labels), } return c.ListVirtualServices(namespace, opts) } -func (c *Client) ListVirtualServicesByLabel(namespace string, labelKey string, labelValue string) ([]unstructured.Unstructured, error) { +func (c *Client) ListVirtualServicesByLabel(namespace string, labelKey string, labelValue string) ([]kunstructured.Unstructured, error) { return c.ListVirtualServicesByLabels(namespace, map[string]string{labelKey: labelValue}) } diff --git a/pkg/operator/config/config.go b/pkg/operator/config/config.go index 7636faf736..41931b0254 100644 --- a/pkg/operator/config/config.go +++ b/pkg/operator/config/config.go @@ -29,11 +29,12 @@ import ( ) var ( - Cortex *CortexConfig - AWS *aws.Client - Kubernetes *k8s.Client - Telemetry *telemetry.Client - Spark *spark.Client + Cortex *CortexConfig + AWS *aws.Client + Kubernetes *k8s.Client + IstioKubernetes *k8s.Client + Telemetry *telemetry.Client + Spark *spark.Client ) type CortexConfig struct { @@ -91,6 +92,10 @@ func Init() error { return err } + if IstioKubernetes, err = k8s.New("istio-system", Cortex.OperatorInCluster); err != nil { + return err + } + if Spark, err = spark.New(Kubernetes.RestConfig, Kubernetes.Namespace); err != nil { return err } diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index 9b7d861b97..6c69e931a4 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -19,11 +19,10 @@ package workloads import ( "path" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - kapps "k8s.io/api/apps/v1" kcore "k8s.io/api/core/v1" kresource "k8s.io/apimachinery/pkg/api/resource" + kunstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" intstr "k8s.io/apimachinery/pkg/util/intstr" "github.com/cortexlabs/cortex/pkg/consts" @@ -250,7 +249,7 @@ func tfAPISpec( tfServingResourceList["nvidia.com/gpu"] = *kresource.NewQuantity(api.Compute.GPU, kresource.DecimalSI) tfServingLimitsList["nvidia.com/gpu"] = *kresource.NewQuantity(api.Compute.GPU, kresource.DecimalSI) } - spec := &k8s.DeploymentSpec{ + return k8s.Deployment(&k8s.DeploymentSpec{ Name: internalAPIName(api.Name, ctx.App.Name), Replicas: desiredReplicas, Labels: map[string]string{ @@ -361,8 +360,7 @@ func tfAPISpec( }, }, Namespace: config.Cortex.Namespace, - } - return k8s.Deployment(spec) + }) } func onnxAPISpec( @@ -461,7 +459,7 @@ func onnxAPISpec( }) } -func virtualServiceSpec(ctx *context.Context, api *context.API) *unstructured.Unstructured { +func virtualServiceSpec(ctx *context.Context, api *context.API) *kunstructured.Unstructured { return k8s.VirtualService(&k8s.VirtualServiceSpec{ Name: internalAPIName(api.Name, ctx.App.Name), Namespace: config.Cortex.Namespace, @@ -469,11 +467,6 @@ func virtualServiceSpec(ctx *context.Context, api *context.API) *unstructured.Un ServiceName: internalAPIName(api.Name, ctx.App.Name), ServicePort: defaultPortInt32, Path: context.APIPath(api.Name, ctx.App.Name), - Labels: map[string]string{ - "appName": ctx.App.Name, - "workloadType": workloadTypeAPI, - "apiName": api.Name, - }, }) } @@ -584,7 +577,7 @@ func internalAPIName(apiName string, appName string) string { } func APIsBaseURL() (string, error) { - service, err := config.Kubernetes.GetIstioService("apis-ingressgateway") + service, err := config.IstioKubernetes.GetService("apis-ingressgateway") if err != nil { return "", err } From 9381501d66b8c61fc8fca9c5d7259f9a1aa2cdc3 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 09:38:08 -0400 Subject: [PATCH 32/68] unexport update --- pkg/lib/k8s/virtual_service.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index b75b538767..1637b590fd 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -104,7 +104,7 @@ func (c *Client) CreateVirtualService(spec *kunstructured.Unstructured) (*kunstr return virtualService, nil } -func (c *Client) UpdateVirtualService(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { +func (c *Client) updateVirtualService(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { virtualService, err := c.dynamicClient. Resource(virtualServiceGVR). Namespace(spec.GetNamespace()). From 66fc3c06826ebcc088168a7988241f4301be04ce Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 09:46:45 -0400 Subject: [PATCH 33/68] unexport update --- pkg/lib/k8s/virtual_service.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index 1637b590fd..6ec11606c8 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -126,7 +126,7 @@ func (c *Client) ApplyVirtualService(spec *kunstructured.Unstructured) (*kunstru return c.CreateVirtualService(spec) } spec.SetResourceVersion(existing.GetResourceVersion()) - return c.UpdateVirtualService(spec) + return c.updateVirtualService(spec) } func (c *Client) GetVirtualService(name, namespace string) (*kunstructured.Unstructured, error) { From 9dd8cb507a2519878aadf0cc7d3c98716bf7dd83 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 11:32:53 -0400 Subject: [PATCH 34/68] remove ls, add back uninstall --- images/manager/Dockerfile | 1 - manager/uninstall_cortex.sh | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 manager/uninstall_cortex.sh diff --git a/images/manager/Dockerfile b/images/manager/Dockerfile index 1d6da3805a..56cf650de5 100644 --- a/images/manager/Dockerfile +++ b/images/manager/Dockerfile @@ -37,7 +37,6 @@ RUN PW=$(pwgen -Bs1 12) && \ -x509 -days 3650 -out $WEBSITE.crt RUN ISTIO_VERSION=1.2.2 && curl -L "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz" | tar xz && \ - ls && \ mv ./istio-$ISTIO_VERSION/install/kubernetes/helm/istio ./manifests/ && \ mv ./istio-$ISTIO_VERSION/install/kubernetes/helm/istio-init ./manifests/ && \ rm -rf ./$ISTIO_VERSION diff --git a/manager/uninstall_cortex.sh b/manager/uninstall_cortex.sh new file mode 100644 index 0000000000..3e4c0eba44 --- /dev/null +++ b/manager/uninstall_cortex.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Copyright 2019 Cortex Labs, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +eksctl utils write-kubeconfig --name=$CORTEX_CLUSTER --region=$CORTEX_REGION | grep -v "saved kubeconfig as" || true + +echo "Uninstalling Cortex ..." + +# Remove finalizers on sparkapplications (they sometimes create deadlocks) +if kubectl get namespace $CORTEX_NAMESPACE >/dev/null 2>&1 && kubectl get customresourcedefinition sparkapplications.sparkoperator.k8s.io >/dev/null 2>&1; then + set +e + kubectl -n=$CORTEX_NAMESPACE get sparkapplications.sparkoperator.k8s.io -o name | xargs -L1 \ + kubectl -n=$CORTEX_NAMESPACE patch -p '{"metadata":{"finalizers": []}}' --type=merge >/dev/null 2>&1 + set -e +fi + +kubectl delete --ignore-not-found=true customresourcedefinition scheduledsparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 +kubectl delete --ignore-not-found=true customresourcedefinition sparkapplications.sparkoperator.k8s.io >/dev/null 2>&1 +kubectl delete --ignore-not-found=true namespace istio-system >/dev/null 2>&1 +kubectl delete --ignore-not-found=true namespace $CORTEX_NAMESPACE >/dev/null 2>&1 + +echo "✓ Uninstalled Cortex" From 198ce5db5e48aef514dff33b398136a24111f4e9 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 12:53:35 -0400 Subject: [PATCH 35/68] progress --- dev/registry.sh | 4 ++++ images/istio-citadel/Dockerfile | 2 ++ images/istio-galley/Dockerfile | 1 + images/istio-pilot/Dockerfile | 1 + images/istio-sidecar/Dockerfile | 1 + manager/install_cortex.sh | 2 +- manager/manifests/istio.yaml | 4 ++++ manager/uninstall_cortex.sh | 0 8 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 images/istio-citadel/Dockerfile create mode 100644 images/istio-galley/Dockerfile create mode 100644 images/istio-pilot/Dockerfile create mode 100644 images/istio-sidecar/Dockerfile mode change 100644 => 100755 manager/uninstall_cortex.sh diff --git a/dev/registry.sh b/dev/registry.sh index e5de26e425..fd4e4e1b8e 100755 --- a/dev/registry.sh +++ b/dev/registry.sh @@ -39,6 +39,10 @@ function create_registry() { aws ecr create-repository --repository-name=cortexlabs/fluentd --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/weave-kube --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/weave-npc --region=$REGISTRY_REGION || true + aws ecr create-repository --repository-name=cortexlabs/istio-citadel --region=$REGISTRY_REGION || true + aws ecr create-repository --repository-name=cortexlabs/istio-pilot --region=$REGISTRY_REGION || true + aws ecr create-repository --repository-name=cortexlabs/istio-galley --region=$REGISTRY_REGION || true + aws ecr create-repository --repository-name=cortexlabs/istio-sidecar --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/operator --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/spark --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/spark-operator --region=$REGISTRY_REGION || true diff --git a/images/istio-citadel/Dockerfile b/images/istio-citadel/Dockerfile new file mode 100644 index 0000000000..9ebe100d89 --- /dev/null +++ b/images/istio-citadel/Dockerfile @@ -0,0 +1,2 @@ +FROM docker.io/istio/citadel:1.2.0 + diff --git a/images/istio-galley/Dockerfile b/images/istio-galley/Dockerfile new file mode 100644 index 0000000000..b26ba173a8 --- /dev/null +++ b/images/istio-galley/Dockerfile @@ -0,0 +1 @@ +FROM docker.io/istio/galley:1.2.0 diff --git a/images/istio-pilot/Dockerfile b/images/istio-pilot/Dockerfile new file mode 100644 index 0000000000..ea95387206 --- /dev/null +++ b/images/istio-pilot/Dockerfile @@ -0,0 +1 @@ +FROM docker.io/istio/pilot:1.2.0 diff --git a/images/istio-sidecar/Dockerfile b/images/istio-sidecar/Dockerfile new file mode 100644 index 0000000000..147d8c0f0f --- /dev/null +++ b/images/istio-sidecar/Dockerfile @@ -0,0 +1 @@ +FROM docker.io/istio/sidecar_injector:1.2.0 diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 8a5501a431..0aa7d881c7 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -176,7 +176,7 @@ envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null kubectl create namespace istio-system kubectl create -n istio-system secret tls istio-customgateway-certs --key cortex.example.com.key --cert cortex.example.com.crt helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - -sleep 60 && helm template manifests/istio --values manifests/istio.yaml --name istio --namespace istio-system | kubectl apply -f - +sleep 60 && envsubst < manifests/fluentd.yaml | helm template manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/istio.yaml b/manager/manifests/istio.yaml index 2a2c996203..d7b2446f12 100644 --- a/manager/manifests/istio.yaml +++ b/manager/manifests/istio.yaml @@ -99,6 +99,7 @@ gateways: sidecarInjectorWebhook: enabled: true + image: $CORTEX_IMAGE_ISTIO_SIDECAR alwaysInjectSelector: - matchLabels: workloadType: api @@ -106,6 +107,7 @@ sidecarInjectorWebhook: workloadType: operator galley: + image: $CORTEX_IMAGE_ISTIO_GALLEY enabled: true mixer: @@ -116,9 +118,11 @@ mixer: enabled: false pilot: + image: $CORTEX_IMAGE_ISTIO_PILOT enabled: true security: + image: $CORTEX_IMAGE_ISTIO_CITADEL enabled: true nodeagent: diff --git a/manager/uninstall_cortex.sh b/manager/uninstall_cortex.sh old mode 100644 new mode 100755 From 265a4f4745fd77a0c44de7436621c68567969782 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 17:10:09 -0400 Subject: [PATCH 36/68] address comments --- Makefile | 16 ++++++++++++++++ cortex.sh | 23 +++++++++++++++++++++++ dev/registry.sh | 4 ++++ images/manager/Dockerfile | 13 +++++++------ manager/install_cortex.sh | 5 +++-- manager/manifests/istio.yaml | 2 -- manager/manifests/operator.yaml | 1 + pkg/lib/k8s/k8s.go | 23 +++++++++++------------ pkg/lib/k8s/virtual_service.go | 2 ++ pkg/operator/workloads/api_workload.go | 10 ++++++++++ 10 files changed, 77 insertions(+), 22 deletions(-) diff --git a/Makefile b/Makefile index 02a7354eff..caf6eaa0f8 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,14 @@ cortex-up: @./cortex.sh -c=./dev/config/cortex.sh install $(MAKE) kubectl +cortex-install: + @$(MAKE) registry-all + @./cortex.sh -c=./dev/config/cortex.sh install cortex + $(MAKE) kubectl + +cortex-uninstall: + @./cortex.sh -c=./dev/config/cortex.sh uninstall cortex + cortex-up-dev: $(MAKE) cortex-up $(MAKE) operator-stop @@ -137,6 +145,10 @@ ci-build-images: @./build/build-image.sh images/cluster-autoscaler cluster-autoscaler @./build/build-image.sh images/nvidia nvidia @./build/build-image.sh images/metrics-server metrics-server + @./build/build-image.sh images/istio-citadel istio-citadel + @./build/build-image.sh images/istio-galley istio-galley + @./build/build-image.sh images/istio-pilot istio-pilot + @./build/build-image.sh images/istio-sidecar istio-sidecar ci-push-images: @./build/push-image.sh manager @@ -155,6 +167,10 @@ ci-push-images: @./build/push-image.sh cluster-autoscaler @./build/push-image.sh nvidia @./build/push-image.sh metrics-server + @./build/push-image.sh istio-citadel + @./build/push-image.sh istio-galley + @./build/push-image.sh istio-pilot + @./build/push-image.sh istio-sidecar ci-build-cli: diff --git a/cortex.sh b/cortex.sh index c4274548fc..87e65d1de1 100755 --- a/cortex.sh +++ b/cortex.sh @@ -132,6 +132,10 @@ export CORTEX_IMAGE_ONNX_SERVE_GPU="${CORTEX_IMAGE_ONNX_SERVE_GPU:-cortexlabs/on export CORTEX_IMAGE_CLUSTER_AUTOSCALER="${CORTEX_IMAGE_CLUSTER_AUTOSCALER:-cortexlabs/cluster-autoscaler:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_NVIDIA="${CORTEX_IMAGE_NVIDIA:-cortexlabs/nvidia:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_METRICS_SERVER="${CORTEX_IMAGE_METRICS_SERVER:-cortexlabs/metrics-server:$CORTEX_VERSION_STABLE}" +export CORTEX_IMAGE_ISTIO_CITADEL="${CORTEX_IMAGE_ISTIO_CITADEL:-cortexlabs/istio-citadel:$CORTEX_VERSION_STABLE}" +export CORTEX_IMAGE_ISTIO_GALLEY="${CORTEX_IMAGE_ISTIO_GALLEY:-cortexlabs/istio-galley:$CORTEX_VERSION_STABLE}" +export CORTEX_IMAGE_ISTIO_PILOT="${CORTEX_IMAGE_ISTIO_PILOT:-cortexlabs/istio-pilot:$CORTEX_VERSION_STABLE}" +export CORTEX_IMAGE_ISTIO_SIDECAR="${CORTEX_IMAGE_ISTIO_SIDECAR:-cortexlabs/istio-sidecar:$CORTEX_VERSION_STABLE}" export CORTEX_ENABLE_TELEMETRY="${CORTEX_ENABLE_TELEMETRY:-""}" @@ -188,6 +192,10 @@ function install_cortex() { -e CORTEX_IMAGE_CLUSTER_AUTOSCALER=$CORTEX_IMAGE_CLUSTER_AUTOSCALER \ -e CORTEX_IMAGE_NVIDIA=$CORTEX_IMAGE_NVIDIA \ -e CORTEX_IMAGE_METRICS_SERVER=$CORTEX_IMAGE_METRICS_SERVER \ + -e CORTEX_IMAGE_ISTIO_CITADEL=$CORTEX_IMAGE_ISTIO_CITADEL \ + -e CORTEX_IMAGE_ISTIO_GALLEY=$CORTEX_IMAGE_ISTIO_GALLEY \ + -e CORTEX_IMAGE_ISTIO_SIDECAR=$CORTEX_IMAGE_ISTIO_SIDECAR \ + -e CORTEX_IMAGE_ISTIO_PILOT=$CORTEX_IMAGE_ISTIO_PILOT \ -e CORTEX_ENABLE_TELEMETRY=$CORTEX_ENABLE_TELEMETRY \ $CORTEX_IMAGE_MANAGER } @@ -373,6 +381,17 @@ function prompt_for_telemetry() { fi } +function uninstall_cortex() { + echo + docker run -it --entrypoint /root/uninstall_cortex.sh \ + -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ + -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ + -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ + -e CORTEX_REGION=$CORTEX_REGION \ + -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ + $CORTEX_IMAGE_MANAGER +} + ############ ### HELP ### ############ @@ -417,6 +436,8 @@ if [ "$arg1" = "install" ]; then exit 1 elif [ "$arg2" = "" ]; then prompt_for_telemetry && install_eks && install_cortex && info + elif [ "$arg2" = "cortex" ]; then + install_cortex && info elif [ "$arg2" = "cli" ]; then install_cli elif [ "$arg2" = "" ]; then @@ -435,6 +456,8 @@ elif [ "$arg1" = "uninstall" ]; then exit 1 elif [ "$arg2" = "" ]; then uninstall_eks + elif [ "$arg2" = "cortex" ]; then + uninstall_cortex elif [ "$arg2" = "cli" ]; then uninstall_cli elif [ "$arg2" = "" ]; then diff --git a/dev/registry.sh b/dev/registry.sh index 6c8de11935..93499e4637 100755 --- a/dev/registry.sh +++ b/dev/registry.sh @@ -143,6 +143,10 @@ elif [ "$cmd" = "update" ]; then build_and_push $ROOT/images/cluster-autoscaler cluster-autoscaler latest build_and_push $ROOT/images/nvidia nvidia latest build_and_push $ROOT/images/metrics-server metrics-server latest + build_and_push $ROOT/images/istio-citadel istio-citadel latest + build_and_push $ROOT/images/istio-pilot istio-pilot latest + build_and_push $ROOT/images/istio-galley istio-galley latest + build_and_push $ROOT/images/istio-sidecar istio-sidecar latest fi build_and_push $ROOT/images/tf-api tf-api latest diff --git a/images/manager/Dockerfile b/images/manager/Dockerfile index 56cf650de5..cf2eb479bb 100644 --- a/images/manager/Dockerfile +++ b/images/manager/Dockerfile @@ -30,15 +30,16 @@ RUN curl -LO https://get.helm.sh/helm-v2.14.1-linux-amd64.tar.gz && \ rm helm-v2.14.1-linux-amd64.tar.gz RUN PW=$(pwgen -Bs1 12) && \ - WEBSITE=cortex.example.com && \ + WEBSITE=localhost && \ openssl req \ - -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=$WEBSITE" \ + -subj "/C=US/CN=$WEBSITE" \ -newkey rsa:2048 -nodes -keyout $WEBSITE.key \ -x509 -days 3650 -out $WEBSITE.crt -RUN ISTIO_VERSION=1.2.2 && curl -L "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz" | tar xz && \ - mv ./istio-$ISTIO_VERSION/install/kubernetes/helm/istio ./manifests/ && \ - mv ./istio-$ISTIO_VERSION/install/kubernetes/helm/istio-init ./manifests/ && \ - rm -rf ./$ISTIO_VERSION +RUN ISTIO_VERSION=1.2.2 && \ + curl -L "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz" | tar xz && \ + mv "./istio-${ISTIO_VERSION}/install/kubernetes/helm/istio" ./manifests/ && \ + mv "./istio-${ISTIO_VERSION}/install/kubernetes/helm/istio-init" ./manifests/ && \ + rm -rf "./istio-${ISTIO_VERSION}" ENTRYPOINT ["/bin/bash"] diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 0aa7d881c7..bb9b3d9d74 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -174,9 +174,10 @@ envsubst < manifests/spark.yaml | kubectl apply -f - >/dev/null envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null kubectl create namespace istio-system -kubectl create -n istio-system secret tls istio-customgateway-certs --key cortex.example.com.key --cert cortex.example.com.crt +kubectl create -n istio-system secret tls istio-customgateway-certs --key localhost.key --cert localhost.crt helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - -sleep 60 && envsubst < manifests/fluentd.yaml | helm template manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - +sleep 60 +envsubst < manifests/istio.yaml | helm template manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/istio.yaml b/manager/manifests/istio.yaml index d7b2446f12..423104f518 100644 --- a/manager/manifests/istio.yaml +++ b/manager/manifests/istio.yaml @@ -141,7 +141,5 @@ kiali: enabled: false global: - hub: docker.io/istio - tag: 1.2.2 proxy: autoInject: disabled diff --git a/manager/manifests/operator.yaml b/manager/manifests/operator.yaml index 511f0c058b..5454e750bf 100644 --- a/manager/manifests/operator.yaml +++ b/manager/manifests/operator.yaml @@ -94,6 +94,7 @@ metadata: labels: workloadType: operator app: operator + service: operator spec: selector: workloadID: operator diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index 673fb4d4f9..f7c499123a 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -47,18 +47,17 @@ var ( ) type Client struct { - RestConfig *kclientrest.Config - clientset *kclientset.Clientset - podClient kclientcore.PodInterface - serviceClient kclientcore.ServiceInterface - istioServiceClient kclientcore.ServiceInterface - configMapClient kclientcore.ConfigMapInterface - deploymentClient kclientapps.DeploymentInterface - dynamicClient kclientdynamic.Interface - jobClient kclientbatch.JobInterface - ingressClient kclientextensions.IngressInterface - hpaClient kclientautoscaling.HorizontalPodAutoscalerInterface - Namespace string + RestConfig *kclientrest.Config + clientset *kclientset.Clientset + podClient kclientcore.PodInterface + serviceClient kclientcore.ServiceInterface + configMapClient kclientcore.ConfigMapInterface + deploymentClient kclientapps.DeploymentInterface + dynamicClient kclientdynamic.Interface + jobClient kclientbatch.JobInterface + ingressClient kclientextensions.IngressInterface + hpaClient kclientautoscaling.HorizontalPodAutoscalerInterface + Namespace string } func New(namespace string, inCluster bool) (*Client, error) { diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index 6ec11606c8..83a1294d92 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -51,6 +51,7 @@ type VirtualServiceSpec struct { ServiceName string ServicePort int32 Path string + Labels map[string]string } func VirtualService(spec *VirtualServiceSpec) *kunstructured.Unstructured { @@ -61,6 +62,7 @@ func VirtualService(spec *VirtualServiceSpec) *kunstructured.Unstructured { virtualServceConfig.Object["metadata"] = map[string]interface{}{ "name": spec.Name, "namespace": spec.Namespace, + "labels": spec.Labels, } virtualServceConfig.Object["spec"] = map[string]interface{}{ "hosts": []string{"*"}, diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index 2a24394104..cdbc05f242 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -449,6 +449,11 @@ func onnxAPISpec( Requests: resourceList, Limits: resourceLimitsList, }, + Ports: []kcore.ContainerPort{ + { + ContainerPort: tfServingPortInt32, + }, + }, }, }, Volumes: k8s.DefaultVolumes(), @@ -467,6 +472,11 @@ func virtualServiceSpec(ctx *context.Context, api *context.API) *kunstructured.U ServiceName: internalAPIName(api.Name, ctx.App.Name), ServicePort: defaultPortInt32, Path: context.APIPath(api.Name, ctx.App.Name), + Labels: map[string]string{ + "appName": ctx.App.Name, + "workloadType": workloadTypeAPI, + "apiName": api.Name, + }, }) } From 6c9a0e3fcf40711bae90a282f83f9d8df5560be8 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 17:11:56 -0400 Subject: [PATCH 37/68] remove newlines --- images/istio-citadel/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/images/istio-citadel/Dockerfile b/images/istio-citadel/Dockerfile index 9ebe100d89..62b57710aa 100644 --- a/images/istio-citadel/Dockerfile +++ b/images/istio-citadel/Dockerfile @@ -1,2 +1 @@ FROM docker.io/istio/citadel:1.2.0 - From 2fe7980143c94b66dfdb479a074e9524e1c06558 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 17:16:17 -0400 Subject: [PATCH 38/68] fix api port --- pkg/operator/workloads/api_workload.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index cdbc05f242..7560942c18 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -451,7 +451,7 @@ func onnxAPISpec( }, Ports: []kcore.ContainerPort{ { - ContainerPort: tfServingPortInt32, + ContainerPort: defaultPortInt32, }, }, }, From 66121f7f798511345214d65b94c0ef1256745db1 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 26 Jul 2019 17:56:39 -0400 Subject: [PATCH 39/68] address comments --- manager/manifests/istio.yaml | 24 ------------------------ pkg/lib/k8s/virtual_service.go | 8 ++++++++ pkg/operator/operator.go | 8 -------- 3 files changed, 8 insertions(+), 32 deletions(-) diff --git a/manager/manifests/istio.yaml b/manager/manifests/istio.yaml index 423104f518..379d3a56ee 100644 --- a/manager/manifests/istio.yaml +++ b/manager/manifests/istio.yaml @@ -22,16 +22,6 @@ gateways: labels: app: operator-istio-gateway istio: operator-ingressgateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 2 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 1800m - memory: 256Mi type: LoadBalancer ports: - port: 80 @@ -47,8 +37,6 @@ gateways: - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls - tracing: - enabled: true secretVolumes: - name: customgateway-certs secretName: istio-customgateway-certs @@ -62,16 +50,6 @@ gateways: labels: app: apis-istio-gateway istio: apis-ingressgateway - replicaCount: 1 - autoscaleMin: 1 - autoscaleMax: 2 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 1800m - memory: 256Mi type: LoadBalancer ports: - port: 80 @@ -87,8 +65,6 @@ gateways: - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls - tracing: - enabled: true secretVolumes: - name: customgateway-certs secretName: istio-customgateway-certs diff --git a/pkg/lib/k8s/virtual_service.go b/pkg/lib/k8s/virtual_service.go index 83a1294d92..9d4e4a814e 100644 --- a/pkg/lib/k8s/virtual_service.go +++ b/pkg/lib/k8s/virtual_service.go @@ -145,6 +145,14 @@ func (c *Client) GetVirtualService(name, namespace string) (*kunstructured.Unstr return virtualService, nil } +func (c *Client) VirtualServiceExists(name, namespace string) (bool, error) { + service, err := c.GetVirtualService(name, namespace) + if err != nil { + return false, err + } + return service != nil, nil +} + func (c *Client) DeleteVirtualService(name, namespace string) (bool, error) { err := c.dynamicClient.Resource(virtualServiceGVR).Namespace(namespace).Delete(name, &kmeta.DeleteOptions{ TypeMeta: virtualServiceTypeMeta, diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 4397059568..be56591c7e 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -53,8 +53,6 @@ func main() { router := mux.NewRouter() router.Use(panicMiddleware) - router.HandleFunc("/", Index).Methods("GET") - router.Use(apiVersionCheckMiddleware) router.Use(authMiddleware) @@ -68,12 +66,6 @@ func main() { log.Fatal(http.ListenAndServe(":"+operatorPortStr, router)) } -func Index(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "text/plain") - w.WriteHeader(http.StatusOK) - w.Write([]byte("🚀")) -} - func panicMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { defer endpoints.RecoverAndRespond(w) From 1fe657ac169dbcf2664a7f50c415824894929869 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Sat, 27 Jul 2019 12:24:20 -0400 Subject: [PATCH 40/68] clean up install/uninstall --- Makefile | 4 +- cortex.sh | 15 ------- dev/cortex.sh | 67 ++++++++++++++++++++++++++++ {manager => dev}/uninstall_cortex.sh | 0 4 files changed, 69 insertions(+), 17 deletions(-) create mode 100755 dev/cortex.sh rename {manager => dev}/uninstall_cortex.sh (100%) diff --git a/Makefile b/Makefile index caf6eaa0f8..64b8a18b4d 100644 --- a/Makefile +++ b/Makefile @@ -34,11 +34,11 @@ cortex-up: cortex-install: @$(MAKE) registry-all - @./cortex.sh -c=./dev/config/cortex.sh install cortex + @./dev/cortex.sh install $(MAKE) kubectl cortex-uninstall: - @./cortex.sh -c=./dev/config/cortex.sh uninstall cortex + @./dev/cortex.sh uninstall cortex-up-dev: $(MAKE) cortex-up diff --git a/cortex.sh b/cortex.sh index 87200caed7..9fb42bfca5 100755 --- a/cortex.sh +++ b/cortex.sh @@ -381,17 +381,6 @@ function prompt_for_telemetry() { fi } -function uninstall_cortex() { - echo - docker run -it --entrypoint /root/uninstall_cortex.sh \ - -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ - -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ - -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ - -e CORTEX_REGION=$CORTEX_REGION \ - -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ - $CORTEX_IMAGE_MANAGER -} - ############ ### HELP ### ############ @@ -436,8 +425,6 @@ if [ "$arg1" = "install" ]; then exit 1 elif [ "$arg2" = "" ]; then prompt_for_telemetry && install_eks && install_cortex && info - elif [ "$arg2" = "cortex" ]; then - install_cortex && info elif [ "$arg2" = "cli" ]; then install_cli elif [ "$arg2" = "" ]; then @@ -456,8 +443,6 @@ elif [ "$arg1" = "uninstall" ]; then exit 1 elif [ "$arg2" = "" ]; then uninstall_eks - elif [ "$arg2" = "cortex" ]; then - uninstall_cortex elif [ "$arg2" = "cli" ]; then uninstall_cli elif [ "$arg2" = "" ]; then diff --git a/dev/cortex.sh b/dev/cortex.sh new file mode 100755 index 0000000000..76b5dd6761 --- /dev/null +++ b/dev/cortex.sh @@ -0,0 +1,67 @@ +ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. >/dev/null && pwd)" +PWD=$(pwd) +source $ROOT/dev/config/cortex.sh + + +function uninstall_cortex() { + $ROOT/dev/uninstall_cortex.sh \ + -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ + -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ + -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ + -e CORTEX_REGION=$CORTEX_REGION \ + -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ + $CORTEX_IMAGE_MANAGER +} + +function info() { + docker run -it --entrypoint ./info.sh \ + -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ + -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ + -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ + -e CORTEX_REGION=$CORTEX_REGION \ + -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ + $CORTEX_IMAGE_MANAGER +} + + +function install_cortex() { + docker run -it --entrypoint ./install_cortex.sh \ + -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ + -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ + -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ + -e CORTEX_REGION=$CORTEX_REGION \ + -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ + -e CORTEX_NODE_TYPE=$CORTEX_NODE_TYPE \ + -e CORTEX_LOG_GROUP=$CORTEX_LOG_GROUP \ + -e CORTEX_BUCKET=$CORTEX_BUCKET \ + -e CORTEX_IMAGE_FLUENTD=$CORTEX_IMAGE_FLUENTD \ + -e CORTEX_IMAGE_OPERATOR=$CORTEX_IMAGE_OPERATOR \ + -e CORTEX_IMAGE_SPARK=$CORTEX_IMAGE_SPARK \ + -e CORTEX_IMAGE_SPARK_OPERATOR=$CORTEX_IMAGE_SPARK_OPERATOR \ + -e CORTEX_IMAGE_TF_SERVE=$CORTEX_IMAGE_TF_SERVE \ + -e CORTEX_IMAGE_TF_TRAIN=$CORTEX_IMAGE_TF_TRAIN \ + -e CORTEX_IMAGE_TF_API=$CORTEX_IMAGE_TF_API \ + -e CORTEX_IMAGE_PYTHON_PACKAGER=$CORTEX_IMAGE_PYTHON_PACKAGER \ + -e CORTEX_IMAGE_TF_SERVE_GPU=$CORTEX_IMAGE_TF_SERVE_GPU \ + -e CORTEX_IMAGE_TF_TRAIN_GPU=$CORTEX_IMAGE_TF_TRAIN_GPU \ + -e CORTEX_IMAGE_ONNX_SERVE=$CORTEX_IMAGE_ONNX_SERVE \ + -e CORTEX_IMAGE_ONNX_SERVE_GPU=$CORTEX_IMAGE_ONNX_SERVE_GPU \ + -e CORTEX_IMAGE_CLUSTER_AUTOSCALER=$CORTEX_IMAGE_CLUSTER_AUTOSCALER \ + -e CORTEX_IMAGE_NVIDIA=$CORTEX_IMAGE_NVIDIA \ + -e CORTEX_IMAGE_METRICS_SERVER=$CORTEX_IMAGE_METRICS_SERVER \ + -e CORTEX_IMAGE_ISTIO_CITADEL=$CORTEX_IMAGE_ISTIO_CITADEL \ + -e CORTEX_IMAGE_ISTIO_GALLEY=$CORTEX_IMAGE_ISTIO_GALLEY \ + -e CORTEX_IMAGE_ISTIO_SIDECAR=$CORTEX_IMAGE_ISTIO_SIDECAR \ + -e CORTEX_IMAGE_ISTIO_PILOT=$CORTEX_IMAGE_ISTIO_PILOT \ + -e CORTEX_ENABLE_TELEMETRY=$CORTEX_ENABLE_TELEMETRY \ + $CORTEX_IMAGE_MANAGER +} + +cd $ROOT/manager +arg1=${1:-""} +if [ "$arg1" = "install" ]; then + install_cortex && info +elif [ "$arg1" = "uninstall" ]; then + uninstall_cortex +fi +cd $PWD diff --git a/manager/uninstall_cortex.sh b/dev/uninstall_cortex.sh similarity index 100% rename from manager/uninstall_cortex.sh rename to dev/uninstall_cortex.sh From a4e9d17668bfc070089fef2622875fbe30237594 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Sat, 27 Jul 2019 12:45:55 -0400 Subject: [PATCH 41/68] add license --- dev/cortex.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/dev/cortex.sh b/dev/cortex.sh index 76b5dd6761..6b48601e17 100755 --- a/dev/cortex.sh +++ b/dev/cortex.sh @@ -1,3 +1,19 @@ +#!/bin/bash + +# Copyright 2019 Cortex Labs, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. >/dev/null && pwd)" PWD=$(pwd) source $ROOT/dev/config/cortex.sh From f74b71bf287ce81542925879a0d292151a34caa3 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 29 Jul 2019 21:14:23 -0400 Subject: [PATCH 42/68] add missing istio images --- Makefile | 7 +++++++ cortex.sh | 8 ++++---- dev/cortex.sh | 3 +++ dev/registry.sh | 7 +++++++ images/istio-citadel/Dockerfile | 2 +- images/istio-galley/Dockerfile | 2 +- images/istio-mixer/Dockerfile | 1 + images/istio-pilot/Dockerfile | 2 +- images/istio-proxy-init/Dockerfile | 1 + images/istio-proxy/Dockerfile | 1 + images/istio-sidecar/Dockerfile | 2 +- manager/manifests/istio.yaml | 8 ++++++-- 12 files changed, 34 insertions(+), 10 deletions(-) create mode 100644 images/istio-mixer/Dockerfile create mode 100644 images/istio-proxy-init/Dockerfile create mode 100644 images/istio-proxy/Dockerfile diff --git a/Makefile b/Makefile index 64b8a18b4d..936ad9da0d 100644 --- a/Makefile +++ b/Makefile @@ -149,6 +149,9 @@ ci-build-images: @./build/build-image.sh images/istio-galley istio-galley @./build/build-image.sh images/istio-pilot istio-pilot @./build/build-image.sh images/istio-sidecar istio-sidecar + @./build/build-image.sh images/istio-proxy istio-proxy + @./build/build-image.sh images/istio-proxy-init istio-proxy-init + @./build/build-image.sh images/istio-mixer istio-mixer ci-push-images: @./build/push-image.sh manager @@ -171,6 +174,10 @@ ci-push-images: @./build/push-image.sh istio-galley @./build/push-image.sh istio-pilot @./build/push-image.sh istio-sidecar + @./build/push-image.sh istio-proxy + @./build/push-image.sh istio-proxy-init + @./build/push-image.sh istio-mixer + @./build/push-image.sh kubectl ci-build-cli: diff --git a/cortex.sh b/cortex.sh index 9fb42bfca5..d0b92b6e3d 100755 --- a/cortex.sh +++ b/cortex.sh @@ -136,6 +136,9 @@ export CORTEX_IMAGE_ISTIO_CITADEL="${CORTEX_IMAGE_ISTIO_CITADEL:-cortexlabs/isti export CORTEX_IMAGE_ISTIO_GALLEY="${CORTEX_IMAGE_ISTIO_GALLEY:-cortexlabs/istio-galley:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_ISTIO_PILOT="${CORTEX_IMAGE_ISTIO_PILOT:-cortexlabs/istio-pilot:$CORTEX_VERSION_STABLE}" export CORTEX_IMAGE_ISTIO_SIDECAR="${CORTEX_IMAGE_ISTIO_SIDECAR:-cortexlabs/istio-sidecar:$CORTEX_VERSION_STABLE}" +export CORTEX_IMAGE_ISTIO_PROXY="${CORTEX_IMAGE_ISTIO_PROXY:-cortexlabs/istio-proxy:$CORTEX_VERSION_STABLE}" +export CORTEX_IMAGE_ISTIO_PROXY_INIT="${CORTEX_IMAGE_ISTIO_PROXY_INIT:-cortexlabs/istio-proxy-init:$CORTEX_VERSION_STABLE}" +export CORTEX_IMAGE_ISTIO_MIXER="${CORTEX_IMAGE_ISTIO_MIXER:-cortexlabs/istio-mixer:$CORTEX_VERSION_STABLE}" export CORTEX_ENABLE_TELEMETRY="${CORTEX_ENABLE_TELEMETRY:-""}" @@ -171,6 +174,7 @@ function install_cortex() { docker run -it --entrypoint /root/install_cortex.sh \ -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ + -e ISTIO_HUB=$ISTIO_HUB \ -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ -e CORTEX_REGION=$CORTEX_REGION \ -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ @@ -192,10 +196,6 @@ function install_cortex() { -e CORTEX_IMAGE_CLUSTER_AUTOSCALER=$CORTEX_IMAGE_CLUSTER_AUTOSCALER \ -e CORTEX_IMAGE_NVIDIA=$CORTEX_IMAGE_NVIDIA \ -e CORTEX_IMAGE_METRICS_SERVER=$CORTEX_IMAGE_METRICS_SERVER \ - -e CORTEX_IMAGE_ISTIO_CITADEL=$CORTEX_IMAGE_ISTIO_CITADEL \ - -e CORTEX_IMAGE_ISTIO_GALLEY=$CORTEX_IMAGE_ISTIO_GALLEY \ - -e CORTEX_IMAGE_ISTIO_SIDECAR=$CORTEX_IMAGE_ISTIO_SIDECAR \ - -e CORTEX_IMAGE_ISTIO_PILOT=$CORTEX_IMAGE_ISTIO_PILOT \ -e CORTEX_ENABLE_TELEMETRY=$CORTEX_ENABLE_TELEMETRY \ $CORTEX_IMAGE_MANAGER } diff --git a/dev/cortex.sh b/dev/cortex.sh index 6b48601e17..2bc0ddd078 100755 --- a/dev/cortex.sh +++ b/dev/cortex.sh @@ -69,6 +69,9 @@ function install_cortex() { -e CORTEX_IMAGE_ISTIO_GALLEY=$CORTEX_IMAGE_ISTIO_GALLEY \ -e CORTEX_IMAGE_ISTIO_SIDECAR=$CORTEX_IMAGE_ISTIO_SIDECAR \ -e CORTEX_IMAGE_ISTIO_PILOT=$CORTEX_IMAGE_ISTIO_PILOT \ + -e CORTEX_IMAGE_ISTIO_PROXY=$CORTEX_IMAGE_ISTIO_PROXY \ + -e CORTEX_IMAGE_ISTIO_PROXY_INIT=$CORTEX_IMAGE_ISTIO_PROXY_INIT \ + -e CORTEX_IMAGE_ISTIO_MIXER=$CORTEX_IMAGE_ISTIO_MIXER \ -e CORTEX_ENABLE_TELEMETRY=$CORTEX_ENABLE_TELEMETRY \ $CORTEX_IMAGE_MANAGER } diff --git a/dev/registry.sh b/dev/registry.sh index 93499e4637..734e0f8838 100755 --- a/dev/registry.sh +++ b/dev/registry.sh @@ -41,6 +41,10 @@ function create_registry() { aws ecr create-repository --repository-name=cortexlabs/istio-pilot --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/istio-galley --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/istio-sidecar --region=$REGISTRY_REGION || true + aws ecr create-repository --repository-name=cortexlabs/istio-proxy --region=$REGISTRY_REGION || true + aws ecr create-repository --repository-name=cortexlabs/istio-proxy-init --region=$REGISTRY_REGION || true + aws ecr create-repository --repository-name=cortexlabs/istio-mixer --region=$REGISTRY_REGION || true + aws ecr create-repository --repository-name=cortexlabs/kubectl --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/operator --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/spark --region=$REGISTRY_REGION || true aws ecr create-repository --repository-name=cortexlabs/spark-operator --region=$REGISTRY_REGION || true @@ -147,6 +151,9 @@ elif [ "$cmd" = "update" ]; then build_and_push $ROOT/images/istio-pilot istio-pilot latest build_and_push $ROOT/images/istio-galley istio-galley latest build_and_push $ROOT/images/istio-sidecar istio-sidecar latest + build_and_push $ROOT/images/istio-proxy istio-proxy latest + build_and_push $ROOT/images/istio-proxy-init istio-proxy-init latest + build_and_push $ROOT/images/istio-mixer istio-mixer latest fi build_and_push $ROOT/images/tf-api tf-api latest diff --git a/images/istio-citadel/Dockerfile b/images/istio-citadel/Dockerfile index 62b57710aa..68ea46a84a 100644 --- a/images/istio-citadel/Dockerfile +++ b/images/istio-citadel/Dockerfile @@ -1 +1 @@ -FROM docker.io/istio/citadel:1.2.0 +FROM docker.io/istio/citadel:1.2.2 diff --git a/images/istio-galley/Dockerfile b/images/istio-galley/Dockerfile index b26ba173a8..6008d4f26c 100644 --- a/images/istio-galley/Dockerfile +++ b/images/istio-galley/Dockerfile @@ -1 +1 @@ -FROM docker.io/istio/galley:1.2.0 +FROM docker.io/istio/galley:1.2.2 diff --git a/images/istio-mixer/Dockerfile b/images/istio-mixer/Dockerfile new file mode 100644 index 0000000000..59fb952073 --- /dev/null +++ b/images/istio-mixer/Dockerfile @@ -0,0 +1 @@ +FROM docker.io/istio/mixer:1.2.2 diff --git a/images/istio-pilot/Dockerfile b/images/istio-pilot/Dockerfile index ea95387206..57573e06c8 100644 --- a/images/istio-pilot/Dockerfile +++ b/images/istio-pilot/Dockerfile @@ -1 +1 @@ -FROM docker.io/istio/pilot:1.2.0 +FROM docker.io/istio/pilot:1.2.2 diff --git a/images/istio-proxy-init/Dockerfile b/images/istio-proxy-init/Dockerfile new file mode 100644 index 0000000000..7a7f04c6d0 --- /dev/null +++ b/images/istio-proxy-init/Dockerfile @@ -0,0 +1 @@ +FROM docker.io/istio/proxy_init:1.2.2 diff --git a/images/istio-proxy/Dockerfile b/images/istio-proxy/Dockerfile new file mode 100644 index 0000000000..2469288165 --- /dev/null +++ b/images/istio-proxy/Dockerfile @@ -0,0 +1 @@ +FROM docker.io/istio/proxyv2:1.2.2 diff --git a/images/istio-sidecar/Dockerfile b/images/istio-sidecar/Dockerfile index 147d8c0f0f..6572986f18 100644 --- a/images/istio-sidecar/Dockerfile +++ b/images/istio-sidecar/Dockerfile @@ -1 +1 @@ -FROM docker.io/istio/sidecar_injector:1.2.0 +FROM docker.io/istio/sidecar_injector:1.2.2 diff --git a/manager/manifests/istio.yaml b/manager/manifests/istio.yaml index 379d3a56ee..44e83d7406 100644 --- a/manager/manifests/istio.yaml +++ b/manager/manifests/istio.yaml @@ -87,11 +87,12 @@ galley: enabled: true mixer: + image: $CORTEX_IMAGE_ISTIO_MIXER policy: - enabled: false + enabled: true telemetry: - enabled: false + enabled: true pilot: image: $CORTEX_IMAGE_ISTIO_PILOT @@ -119,3 +120,6 @@ kiali: global: proxy: autoInject: disabled + image: $CORTEX_IMAGE_ISTIO_PROXY + proxy_init: + image: $CORTEX_IMAGE_ISTIO_PROXY_INIT From f45fac2801443e00d5b53725a4dd37033951012a Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 29 Jul 2019 23:20:28 -0400 Subject: [PATCH 43/68] add to cortex --- cortex.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cortex.sh b/cortex.sh index d0b92b6e3d..ba73533484 100755 --- a/cortex.sh +++ b/cortex.sh @@ -196,6 +196,13 @@ function install_cortex() { -e CORTEX_IMAGE_CLUSTER_AUTOSCALER=$CORTEX_IMAGE_CLUSTER_AUTOSCALER \ -e CORTEX_IMAGE_NVIDIA=$CORTEX_IMAGE_NVIDIA \ -e CORTEX_IMAGE_METRICS_SERVER=$CORTEX_IMAGE_METRICS_SERVER \ + -e CORTEX_IMAGE_ISTIO_CITADEL=$CORTEX_IMAGE_ISTIO_CITADEL \ + -e CORTEX_IMAGE_ISTIO_GALLEY=$CORTEX_IMAGE_ISTIO_GALLEY \ + -e CORTEX_IMAGE_ISTIO_SIDECAR=$CORTEX_IMAGE_ISTIO_SIDECAR \ + -e CORTEX_IMAGE_ISTIO_PILOT=$CORTEX_IMAGE_ISTIO_PILOT \ + -e CORTEX_IMAGE_ISTIO_PROXY=$CORTEX_IMAGE_ISTIO_PROXY \ + -e CORTEX_IMAGE_ISTIO_PROXY_INIT=$CORTEX_IMAGE_ISTIO_PROXY_INIT \ + -e CORTEX_IMAGE_ISTIO_MIXER=$CORTEX_IMAGE_ISTIO_MIXER \ -e CORTEX_ENABLE_TELEMETRY=$CORTEX_ENABLE_TELEMETRY \ $CORTEX_IMAGE_MANAGER } From d6395b49e22ff5919e73a94591407c25424bacfa Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Tue, 30 Jul 2019 09:27:24 -0400 Subject: [PATCH 44/68] wait for istio propagation --- manager/install_cortex.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index bb9b3d9d74..08a6c98c1f 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -176,7 +176,9 @@ envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null kubectl create namespace istio-system kubectl create -n istio-system secret tls istio-customgateway-certs --key localhost.key --cert localhost.crt helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - -sleep 60 +while [ ! $(kubectl api-resources | grep virtualservice) ]; do + sleep 1 +done envsubst < manifests/istio.yaml | helm template manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null From 403845f3335f98095b6003d5bc9326a05b39de21 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Tue, 30 Jul 2019 13:07:57 -0400 Subject: [PATCH 45/68] progress --- manager/install_cortex.sh | 4 +- manager/manifests/istio-metrics.yaml | 121 ++++++++++++++++++ .../{istio.yaml => istio-values.yaml} | 1 + 3 files changed, 124 insertions(+), 2 deletions(-) create mode 100644 manager/manifests/istio-metrics.yaml rename manager/manifests/{istio.yaml => istio-values.yaml} (99%) diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 08a6c98c1f..6a653f9cf4 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -179,8 +179,8 @@ helm template manifests/istio-init --name istio-init --namespace istio-system | while [ ! $(kubectl api-resources | grep virtualservice) ]; do sleep 1 done -envsubst < manifests/istio.yaml | helm template manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - - +envsubst < manifests/istio-values.yaml | helm template manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - +envsubst < manifests/istio-metrics.yaml | kubectl apply -f - envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null envsubst < manifests/cluster-autoscaler.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml new file mode 100644 index 0000000000..93e4ccd589 --- /dev/null +++ b/manager/manifests/istio-metrics.yaml @@ -0,0 +1,121 @@ +# Copyright 2019 Cortex Labs, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Configuration for a metric measuring bytes sent from a server +# to a client +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: operatorsentbytes + namespace: $CORTEX_NAMESPACE +spec: + compiledTemplate: metric + params: + value: connection.sent.bytes | 0 # uses a TCP-specific attribute + dimensions: + source_service: source.workload.name | "unknown" + source_version: source.labels["version"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + monitoredResourceType: '"UNSPECIFIED"' +--- +# Configuration for a metric measuring bytes sent from a client +# to a server +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: operatoreceivedbytes + namespace: $CORTEX_NAMESPACE +spec: + compiledTemplate: metric + params: + value: connection.received.bytes | 0 # uses a TCP-specific attribute + dimensions: + source_service: source.workload.name | "unknown" + source_version: source.labels["version"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + monitoredResourceType: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: instance +metadata: + name: accesslog + namespace: $CORTEX_NAMESPACE +spec: + compiledTemplate: logentry + params: + severity: '"Default"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + destinationIp: destination.ip | ip("0.0.0.0") + sourceUser: source.principal | "" + method: request.method | "" + url: request.path | "" + protocol: request.scheme | "http" + responseCode: response.code | 0 + responseSize: response.size | 0 + requestSize: request.size | 0 + latency: response.duration | "0ms" + monitored_resource_type: '"UNSPECIFIED"' +--- +# Configuration for a Prometheus handler +apiVersion: config.istio.io/v1alpha2 +kind: handler +metadata: + name: operatorhandler + namespace: $CORTEX_NAMESPACE +spec: + compiledAdapter: cloudwatch + params: + namespace: $CORTEX_NAMESPACE + logGroupName: $CORTEX_LOG_GROUP + logStreamName: $CORTEX_LOG_GROUP + metricInfo: + operatorsentbytes.instance.cortex: + unit: Bytes + operatorreceivedbytes.instance.cortex: + unit: Bytes + logs: + accesslog.instance.cortex: + payloadTemplate: ".sourceIp" + + # name: operator_sent_bytes # Prometheus metric name + # instance_name: operatorsentbytes.instance.$CORTEX_NAMESPACE # Mixer instance name (fully-qualified) + # kind: COUNTER + # label_names: + # - source_service + # - source_version + # - destination_version + # - name: operator_received_bytes # Prometheus metric name + # instance_name: operatorreceivedbytes.instance.$CORTEX_NAMESPACE # Mixer instance name (fully-qualified) + # kind: COUNTER + # label_names: + # - source_service + # - source_version + # - destination_version +--- +# Rule to send metric instances to a Prometheus handler +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: operatorcloudwatch + namespace: $CORTEX_NAMESPACE +spec: + match: context.protocol == "tcp" + && destination.service.host == "operator.$CORTEX_NAMESPACE.svc.cluster.local" + actions: + - handler: operatorhandler + instances: + - operatorreceivedbytes + - operatorsentbytes diff --git a/manager/manifests/istio.yaml b/manager/manifests/istio-values.yaml similarity index 99% rename from manager/manifests/istio.yaml rename to manager/manifests/istio-values.yaml index 44e83d7406..999ec39a46 100644 --- a/manager/manifests/istio.yaml +++ b/manager/manifests/istio-values.yaml @@ -123,3 +123,4 @@ global: image: $CORTEX_IMAGE_ISTIO_PROXY proxy_init: image: $CORTEX_IMAGE_ISTIO_PROXY_INIT + From 08c0847dd7366b96014499f635610ab5ac5e3542 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Tue, 30 Jul 2019 22:54:18 -0400 Subject: [PATCH 46/68] progress --- manager/manifests/istio-metrics.yaml | 47 ++-------------------------- manager/manifests/istio-values.yaml | 15 +++++++++ 2 files changed, 17 insertions(+), 45 deletions(-) diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index 93e4ccd589..ec5976a408 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -25,8 +25,6 @@ spec: value: connection.sent.bytes | 0 # uses a TCP-specific attribute dimensions: source_service: source.workload.name | "unknown" - source_version: source.labels["version"] | "unknown" - destination_version: destination.labels["version"] | "unknown" monitoredResourceType: '"UNSPECIFIED"' --- # Configuration for a metric measuring bytes sent from a client @@ -34,7 +32,7 @@ spec: apiVersion: config.istio.io/v1alpha2 kind: instance metadata: - name: operatoreceivedbytes + name: operatorreceivedbytes namespace: $CORTEX_NAMESPACE spec: compiledTemplate: metric @@ -46,29 +44,6 @@ spec: destination_version: destination.labels["version"] | "unknown" monitoredResourceType: '"UNSPECIFIED"' --- -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: accesslog - namespace: $CORTEX_NAMESPACE -spec: - compiledTemplate: logentry - params: - severity: '"Default"' - timestamp: request.time - variables: - sourceIp: source.ip | ip("0.0.0.0") - destinationIp: destination.ip | ip("0.0.0.0") - sourceUser: source.principal | "" - method: request.method | "" - url: request.path | "" - protocol: request.scheme | "http" - responseCode: response.code | 0 - responseSize: response.size | 0 - requestSize: request.size | 0 - latency: response.duration | "0ms" - monitored_resource_type: '"UNSPECIFIED"' ---- # Configuration for a Prometheus handler apiVersion: config.istio.io/v1alpha2 kind: handler @@ -86,24 +61,7 @@ spec: unit: Bytes operatorreceivedbytes.instance.cortex: unit: Bytes - logs: - accesslog.instance.cortex: - payloadTemplate: ".sourceIp" - - # name: operator_sent_bytes # Prometheus metric name - # instance_name: operatorsentbytes.instance.$CORTEX_NAMESPACE # Mixer instance name (fully-qualified) - # kind: COUNTER - # label_names: - # - source_service - # - source_version - # - destination_version - # - name: operator_received_bytes # Prometheus metric name - # instance_name: operatorreceivedbytes.instance.$CORTEX_NAMESPACE # Mixer instance name (fully-qualified) - # kind: COUNTER - # label_names: - # - source_service - # - source_version - # - destination_version + logs: {} --- # Rule to send metric instances to a Prometheus handler apiVersion: config.istio.io/v1alpha2 @@ -113,7 +71,6 @@ metadata: namespace: $CORTEX_NAMESPACE spec: match: context.protocol == "tcp" - && destination.service.host == "operator.$CORTEX_NAMESPACE.svc.cluster.local" actions: - handler: operatorhandler instances: diff --git a/manager/manifests/istio-values.yaml b/manager/manifests/istio-values.yaml index 999ec39a46..c20199e6b6 100644 --- a/manager/manifests/istio-values.yaml +++ b/manager/manifests/istio-values.yaml @@ -87,12 +87,27 @@ galley: enabled: true mixer: + useAdapterCRDs: true image: $CORTEX_IMAGE_ISTIO_MIXER policy: enabled: true telemetry: enabled: true + env: + AWS_REGION: $CORTEX_REGION + LOG_GROUP_NAME: $CORTEX_LOG_GROUP + AWS_ACCESS_KEY_ID: | + valueFrom: + secretKeyRef: | + name: aws-credentials + key: AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: + valueFrom: + secretKeyRef: + name: aws-credentials + key: AWS_SECRET_ACCESS_KEY + pilot: image: $CORTEX_IMAGE_ISTIO_PILOT From 16430b41ff102467ec3930e32ea06ef262890228 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 31 Jul 2019 12:18:33 -0400 Subject: [PATCH 47/68] progress --- manager/manifests/istio-metrics.yaml | 4 +--- manager/manifests/istio-values.yaml | 13 ++----------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index ec5976a408..5d31d3b6de 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -40,8 +40,6 @@ spec: value: connection.received.bytes | 0 # uses a TCP-specific attribute dimensions: source_service: source.workload.name | "unknown" - source_version: source.labels["version"] | "unknown" - destination_version: destination.labels["version"] | "unknown" monitoredResourceType: '"UNSPECIFIED"' --- # Configuration for a Prometheus handler @@ -70,7 +68,7 @@ metadata: name: operatorcloudwatch namespace: $CORTEX_NAMESPACE spec: - match: context.protocol == "tcp" + match: context.protocol == "tcp" || context.protocol == "https" actions: - handler: operatorhandler instances: diff --git a/manager/manifests/istio-values.yaml b/manager/manifests/istio-values.yaml index c20199e6b6..5d5fb8c675 100644 --- a/manager/manifests/istio-values.yaml +++ b/manager/manifests/istio-values.yaml @@ -97,17 +97,8 @@ mixer: env: AWS_REGION: $CORTEX_REGION LOG_GROUP_NAME: $CORTEX_LOG_GROUP - AWS_ACCESS_KEY_ID: | - valueFrom: - secretKeyRef: | - name: aws-credentials - key: AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: - valueFrom: - secretKeyRef: - name: aws-credentials - key: AWS_SECRET_ACCESS_KEY - + AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY pilot: image: $CORTEX_IMAGE_ISTIO_PILOT From e02c21804e0850fd516854383d12ccf8e33a644b Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Wed, 31 Jul 2019 14:44:07 -0400 Subject: [PATCH 48/68] progress --- manager/manifests/istio-values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/manager/manifests/istio-values.yaml b/manager/manifests/istio-values.yaml index 5d5fb8c675..0cd8aa0ceb 100644 --- a/manager/manifests/istio-values.yaml +++ b/manager/manifests/istio-values.yaml @@ -97,8 +97,6 @@ mixer: env: AWS_REGION: $CORTEX_REGION LOG_GROUP_NAME: $CORTEX_LOG_GROUP - AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY pilot: image: $CORTEX_IMAGE_ISTIO_PILOT From 03c26dadec3024ce03e7b874e1d4d284b81f699f Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Thu, 1 Aug 2019 09:20:39 -0400 Subject: [PATCH 49/68] remove --- pkg/lib/k8s/k8s.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index 4c6b4db80e..ead5b7df99 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -54,7 +54,6 @@ type Client struct { serviceClient kclientcore.ServiceInterface configMapClient kclientcore.ConfigMapInterface deploymentClient kclientapps.DeploymentInterface - dynamicClient kclientdynamic.Interface jobClient kclientbatch.JobInterface ingressClient kclientextensions.IngressInterface hpaClient kclientautoscaling.HorizontalPodAutoscalerInterface From 33f75b092f42bd1511743905da4e93ab7619c06c Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 2 Aug 2019 12:42:27 -0400 Subject: [PATCH 50/68] track requests --- Makefile | 8 -- manager/install_cortex.sh | 14 +-- manager/manifests/istio-metrics.yaml | 57 +++++---- manager/manifests/istio-values.yaml | 2 + pkg/lib/k8s/rules.go | 175 +++++++++++++++++++++++++++ 5 files changed, 212 insertions(+), 44 deletions(-) create mode 100644 pkg/lib/k8s/rules.go diff --git a/Makefile b/Makefile index a121b5fbbd..53e6587697 100644 --- a/Makefile +++ b/Makefile @@ -32,14 +32,6 @@ cortex-up: @./cortex.sh -c=./dev/config/cortex.sh install @$(MAKE) kubectl -cortex-install: - @$(MAKE) registry-all - @./dev/cortex.sh install - $(MAKE) kubectl - -cortex-uninstall: - @./dev/cortex.sh uninstall - cortex-up-dev: @$(MAKE) cortex-up @$(MAKE) operator-stop diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index f67de5da12..5c5f5f0f2a 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -173,19 +173,19 @@ setup_secrets envsubst < manifests/spark.yaml | kubectl apply -f - >/dev/null envsubst < manifests/fluentd.yaml | kubectl apply -f - >/dev/null -kubectl create namespace istio-system +kubectl create namespace istio-system >/dev/null WEBSITE=localhost openssl req \ -subj "/C=US/CN=$WEBSITE" \ -newkey rsa:2048 -nodes -keyout $WEBSITE.key \ - -x509 -days 3650 -out $WEBSITE.crt -kubectl create -n istio-system secret tls istio-customgateway-certs --key $WEBSITE.key --cert $WEBSITE.crt -helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - -while [ ! $(kubectl api-resources | grep virtualservice) ]; do + -x509 -days 3650 -out $WEBSITE.crt >/dev/null +kubectl create -n istio-system secret tls istio-customgateway-certs --key $WEBSITE.key --cert $WEBSITE.crt >/dev/null +helm template manifests/istio-init --name istio-init --namespace istio-system | kubectl apply -f - >/dev/null +while [ ! "$(kubectl api-resources | grep virtualservice)" ]; do sleep 1 done -envsubst < manifests/istio.yaml | helm template manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - - +envsubst < manifests/istio-values.yaml | helm template manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - >/dev/null +envsubst < manifests/istio-metrics.yaml | kubectl apply -f - >/dev/null envsubst < manifests/operator.yaml | kubectl apply -f - >/dev/null envsubst < manifests/apis.yaml | kubectl apply -f - >/dev/null envsubst < manifests/cluster-autoscaler.yaml | kubectl apply -f - >/dev/null diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index 5d31d3b6de..13bbe7837b 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -17,36 +17,26 @@ apiVersion: config.istio.io/v1alpha2 kind: instance metadata: - name: operatorsentbytes + name: cortex-request-count namespace: $CORTEX_NAMESPACE spec: compiledTemplate: metric params: - value: connection.sent.bytes | 0 # uses a TCP-specific attribute + value: "1" dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "client", "server") source_service: source.workload.name | "unknown" + namespace: source.namespace | "unknown" + path: request.url_path | "unknown" + origin_ip: origin.ip + response_duration: response.duration + request_time: request.time monitoredResourceType: '"UNSPECIFIED"' --- -# Configuration for a metric measuring bytes sent from a client -# to a server -apiVersion: config.istio.io/v1alpha2 -kind: instance -metadata: - name: operatorreceivedbytes - namespace: $CORTEX_NAMESPACE -spec: - compiledTemplate: metric - params: - value: connection.received.bytes | 0 # uses a TCP-specific attribute - dimensions: - source_service: source.workload.name | "unknown" - monitoredResourceType: '"UNSPECIFIED"' ---- -# Configuration for a Prometheus handler apiVersion: config.istio.io/v1alpha2 kind: handler metadata: - name: operatorhandler + name: cortex-request-handler namespace: $CORTEX_NAMESPACE spec: compiledAdapter: cloudwatch @@ -55,22 +45,31 @@ spec: logGroupName: $CORTEX_LOG_GROUP logStreamName: $CORTEX_LOG_GROUP metricInfo: - operatorsentbytes.instance.cortex: - unit: Bytes - operatorreceivedbytes.instance.cortex: - unit: Bytes + cortex-request-count.instance.cortex: + unit: Count logs: {} --- -# Rule to send metric instances to a Prometheus handler apiVersion: config.istio.io/v1alpha2 kind: rule metadata: - name: operatorcloudwatch + name: cortex-operator-requests + namespace: $CORTEX_NAMESPACE +spec: + match: source.workload.name == "operator-ingressgateway" + actions: + - handler: cortex-request-handler + instances: + - cortex-request-count +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: cortex-apis-requests namespace: $CORTEX_NAMESPACE spec: - match: context.protocol == "tcp" || context.protocol == "https" + match: source.workload.name == "apis-ingressgateway" actions: - - handler: operatorhandler + - handler: cortex-request-handler instances: - - operatorreceivedbytes - - operatorsentbytes + - cortex-request-count +--- diff --git a/manager/manifests/istio-values.yaml b/manager/manifests/istio-values.yaml index 0cd8aa0ceb..5d5fb8c675 100644 --- a/manager/manifests/istio-values.yaml +++ b/manager/manifests/istio-values.yaml @@ -97,6 +97,8 @@ mixer: env: AWS_REGION: $CORTEX_REGION LOG_GROUP_NAME: $CORTEX_LOG_GROUP + AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY pilot: image: $CORTEX_IMAGE_ISTIO_PILOT diff --git a/pkg/lib/k8s/rules.go b/pkg/lib/k8s/rules.go new file mode 100644 index 0000000000..338da6ca83 --- /dev/null +++ b/pkg/lib/k8s/rules.go @@ -0,0 +1,175 @@ +/* +Copyright 2019 Cortex Labs, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package k8s + +import ( + "github.com/cortexlabs/cortex/pkg/lib/errors" + + kerrors "k8s.io/apimachinery/pkg/api/errors" + kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" + kunstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + kschema "k8s.io/apimachinery/pkg/runtime/schema" +) + +var ( + ruleTypeMeta = kmeta.TypeMeta{ + APIVersion: "v1alpha2", + Kind: "Rule", + } + + ruleGVR = kschema.GroupVersionResource{ + Group: "config.istio.io", + Version: "v1alpha2", + Resource: "Rule", + } + + ruleGVK = kschema.GroupVersionKind{ + Group: "rule.istio.io", + Version: "v1alpha2", + Kind: "Rule", + } +) + +type RuleSpec struct { + Name string + Namespace string + Match string + Path string + handlerInstances map[string][]string +} + +func Rule(spec *RuleSpec) *kunstructured.Unstructured { + RuleConfig := &kunstructured.Unstructured{} + RuleConfig.SetGroupVersionKind(ruleGVK) + RuleConfig.SetName(spec.Name) + RuleConfig.SetNamespace(spec.Namespace) + RuleConfig.Object["metadata"] = map[string]interface{}{ + "name": spec.Name, + "namespace": spec.Namespace, + } + + actions := []map[string]interface{}{} + for handler, instances := range spec.handlerInstances { + actions = append(actions, map[string]interface{}{ + handler: instances, + }) + } + + RuleConfig.Object["spec"] = map[string]interface{}{ + "actions": actions, + } + + return RuleConfig +} + +func (c *Client) CreateRule(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { + rule, err := c.dynamicClient. + Resource(ruleGVR). + Namespace(spec.GetNamespace()). + Create(spec, kmeta.CreateOptions{ + TypeMeta: ruleTypeMeta, + }) + if err != nil { + return nil, errors.WithStack(err) + } + return rule, nil +} + +func (c *Client) updateRule(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { + rule, err := c.dynamicClient. + Resource(ruleGVR). + Namespace(spec.GetNamespace()). + Update(spec, kmeta.UpdateOptions{ + TypeMeta: ruleTypeMeta, + }) + if err != nil { + return nil, errors.WithStack(err) + } + return rule, nil +} + +func (c *Client) ApplyRule(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { + existing, err := c.GetRule(spec.GetName(), spec.GetNamespace()) + if err != nil { + return nil, err + } + if existing == nil { + return c.CreateRule(spec) + } + spec.SetResourceVersion(existing.GetResourceVersion()) + return c.updateVirtualService(spec) +} + +func (c *Client) GetRule(name, namespace string) (*kunstructured.Unstructured, error) { + rule, err := c.dynamicClient.Resource(ruleGVR).Namespace(namespace).Get(name, kmeta.GetOptions{ + TypeMeta: ruleTypeMeta, + }) + + if kerrors.IsNotFound(err) { + return nil, nil + } + if err != nil { + return nil, errors.WithStack(err) + } + return rule, nil +} + +func (c *Client) RuleExists(name, namespace string) (bool, error) { + rule, err := c.GetRule(name, namespace) + if err != nil { + return false, err + } + return rule != nil, nil +} + +func (c *Client) DeleteRule(name, namespace string) (bool, error) { + err := c.dynamicClient.Resource(ruleGVR).Namespace(namespace).Delete(name, &kmeta.DeleteOptions{ + TypeMeta: ruleTypeMeta, + }) + if kerrors.IsNotFound(err) { + return false, nil + } + if err != nil { + return false, errors.WithStack(err) + } + return true, nil +} + +func (c *Client) ListRules(namespace string, opts *kmeta.ListOptions) ([]kunstructured.Unstructured, error) { + if opts == nil { + opts = &kmeta.ListOptions{} + } + + vsList, err := c.dynamicClient.Resource(ruleGVR).Namespace(namespace).List(*opts) + if err != nil { + return nil, errors.WithStack(err) + } + for i := range vsList.Items { + vsList.Items[i].SetGroupVersionKind(ruleGVK) + } + return vsList.Items, nil +} + +func (c *Client) ListRulesByLabels(namespace string, labels map[string]string) ([]kunstructured.Unstructured, error) { + opts := &kmeta.ListOptions{ + LabelSelector: LabelSelector(labels), + } + return c.ListRules(namespace, opts) +} + +func (c *Client) ListRulesByLabel(namespace string, labelKey string, labelValue string) ([]kunstructured.Unstructured, error) { + return c.ListRulesByLabels(namespace, map[string]string{labelKey: labelValue}) +} From 4a40457c20f069f3aaeb7ff8ed0e1caa15c0b138 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 2 Aug 2019 13:44:13 -0400 Subject: [PATCH 51/68] track response time --- manager/manifests/istio-metrics.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index 13bbe7837b..eeae0e1e5b 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -34,6 +34,25 @@ spec: monitoredResourceType: '"UNSPECIFIED"' --- apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: cortex-response-time + namespace: $CORTEX_NAMESPACE +spec: + compiledTemplate: metric + params: + value: response.duration + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "client", "server") + source_service: source.workload.name | "unknown" + namespace: source.namespace | "unknown" + path: request.url_path | "unknown" + origin_ip: origin.ip + response_duration: response.duration + request_time: request.time + monitoredResourceType: '"UNSPECIFIED"' +--- +apiVersion: config.istio.io/v1alpha2 kind: handler metadata: name: cortex-request-handler @@ -47,6 +66,8 @@ spec: metricInfo: cortex-request-count.instance.cortex: unit: Count + cortex-response-time.instance.cortex: + unit: Milliseconds logs: {} --- apiVersion: config.istio.io/v1alpha2 @@ -60,6 +81,7 @@ spec: - handler: cortex-request-handler instances: - cortex-request-count + - cortex-response-time --- apiVersion: config.istio.io/v1alpha2 kind: rule @@ -72,4 +94,5 @@ spec: - handler: cortex-request-handler instances: - cortex-request-count + - cortex-response-time --- From 76519d12e886324890324869f8f0a0570ba69c8e Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 2 Aug 2019 15:13:38 -0400 Subject: [PATCH 52/68] report errors --- examples/iris/cortex.yaml | 2 +- manager/manifests/istio-metrics.yaml | 28 +++++ pkg/lib/k8s/rules.go | 175 --------------------------- 3 files changed, 29 insertions(+), 176 deletions(-) delete mode 100644 pkg/lib/k8s/rules.go diff --git a/examples/iris/cortex.yaml b/examples/iris/cortex.yaml index db0f730f58..5620e17fa7 100644 --- a/examples/iris/cortex.yaml +++ b/examples/iris/cortex.yaml @@ -15,7 +15,7 @@ model: s3://cortex-examples/iris/xgboost.onnx request_handler: handlers/xgboost.py -- kind: api +- kind: apir name: sklearn model: s3://cortex-examples/iris/sklearn.onnx request_handler: handlers/sklearn.py diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index eeae0e1e5b..47788cb8cc 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -30,6 +30,7 @@ spec: path: request.url_path | "unknown" origin_ip: origin.ip response_duration: response.duration + response_code: response.code request_time: request.time monitoredResourceType: '"UNSPECIFIED"' --- @@ -96,3 +97,30 @@ spec: - cortex-request-count - cortex-response-time --- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: cortex-apis-errors + namespace: $CORTEX_NAMESPACE +spec: + match: source.workload.name == "apis-ingressgateway" && response.code >= 400 + actions: + - handler: cortex-request-handler + instances: + - cortex-request-count + - cortex-response-time +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: cortex-operator-errors + namespace: $CORTEX_NAMESPACE +spec: + match: source.workload.name == "operator-ingressgateway" && response.code >= 400 + actions: + - handler: cortex-request-handler + instances: + - cortex-request-count + - cortex-response-time +--- + diff --git a/pkg/lib/k8s/rules.go b/pkg/lib/k8s/rules.go deleted file mode 100644 index 338da6ca83..0000000000 --- a/pkg/lib/k8s/rules.go +++ /dev/null @@ -1,175 +0,0 @@ -/* -Copyright 2019 Cortex Labs, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -package k8s - -import ( - "github.com/cortexlabs/cortex/pkg/lib/errors" - - kerrors "k8s.io/apimachinery/pkg/api/errors" - kmeta "k8s.io/apimachinery/pkg/apis/meta/v1" - kunstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - kschema "k8s.io/apimachinery/pkg/runtime/schema" -) - -var ( - ruleTypeMeta = kmeta.TypeMeta{ - APIVersion: "v1alpha2", - Kind: "Rule", - } - - ruleGVR = kschema.GroupVersionResource{ - Group: "config.istio.io", - Version: "v1alpha2", - Resource: "Rule", - } - - ruleGVK = kschema.GroupVersionKind{ - Group: "rule.istio.io", - Version: "v1alpha2", - Kind: "Rule", - } -) - -type RuleSpec struct { - Name string - Namespace string - Match string - Path string - handlerInstances map[string][]string -} - -func Rule(spec *RuleSpec) *kunstructured.Unstructured { - RuleConfig := &kunstructured.Unstructured{} - RuleConfig.SetGroupVersionKind(ruleGVK) - RuleConfig.SetName(spec.Name) - RuleConfig.SetNamespace(spec.Namespace) - RuleConfig.Object["metadata"] = map[string]interface{}{ - "name": spec.Name, - "namespace": spec.Namespace, - } - - actions := []map[string]interface{}{} - for handler, instances := range spec.handlerInstances { - actions = append(actions, map[string]interface{}{ - handler: instances, - }) - } - - RuleConfig.Object["spec"] = map[string]interface{}{ - "actions": actions, - } - - return RuleConfig -} - -func (c *Client) CreateRule(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { - rule, err := c.dynamicClient. - Resource(ruleGVR). - Namespace(spec.GetNamespace()). - Create(spec, kmeta.CreateOptions{ - TypeMeta: ruleTypeMeta, - }) - if err != nil { - return nil, errors.WithStack(err) - } - return rule, nil -} - -func (c *Client) updateRule(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { - rule, err := c.dynamicClient. - Resource(ruleGVR). - Namespace(spec.GetNamespace()). - Update(spec, kmeta.UpdateOptions{ - TypeMeta: ruleTypeMeta, - }) - if err != nil { - return nil, errors.WithStack(err) - } - return rule, nil -} - -func (c *Client) ApplyRule(spec *kunstructured.Unstructured) (*kunstructured.Unstructured, error) { - existing, err := c.GetRule(spec.GetName(), spec.GetNamespace()) - if err != nil { - return nil, err - } - if existing == nil { - return c.CreateRule(spec) - } - spec.SetResourceVersion(existing.GetResourceVersion()) - return c.updateVirtualService(spec) -} - -func (c *Client) GetRule(name, namespace string) (*kunstructured.Unstructured, error) { - rule, err := c.dynamicClient.Resource(ruleGVR).Namespace(namespace).Get(name, kmeta.GetOptions{ - TypeMeta: ruleTypeMeta, - }) - - if kerrors.IsNotFound(err) { - return nil, nil - } - if err != nil { - return nil, errors.WithStack(err) - } - return rule, nil -} - -func (c *Client) RuleExists(name, namespace string) (bool, error) { - rule, err := c.GetRule(name, namespace) - if err != nil { - return false, err - } - return rule != nil, nil -} - -func (c *Client) DeleteRule(name, namespace string) (bool, error) { - err := c.dynamicClient.Resource(ruleGVR).Namespace(namespace).Delete(name, &kmeta.DeleteOptions{ - TypeMeta: ruleTypeMeta, - }) - if kerrors.IsNotFound(err) { - return false, nil - } - if err != nil { - return false, errors.WithStack(err) - } - return true, nil -} - -func (c *Client) ListRules(namespace string, opts *kmeta.ListOptions) ([]kunstructured.Unstructured, error) { - if opts == nil { - opts = &kmeta.ListOptions{} - } - - vsList, err := c.dynamicClient.Resource(ruleGVR).Namespace(namespace).List(*opts) - if err != nil { - return nil, errors.WithStack(err) - } - for i := range vsList.Items { - vsList.Items[i].SetGroupVersionKind(ruleGVK) - } - return vsList.Items, nil -} - -func (c *Client) ListRulesByLabels(namespace string, labels map[string]string) ([]kunstructured.Unstructured, error) { - opts := &kmeta.ListOptions{ - LabelSelector: LabelSelector(labels), - } - return c.ListRules(namespace, opts) -} - -func (c *Client) ListRulesByLabel(namespace string, labelKey string, labelValue string) ([]kunstructured.Unstructured, error) { - return c.ListRulesByLabels(namespace, map[string]string{labelKey: labelValue}) -} From 2caa12c109985cd99a17e75cbe2e6e9f888a00a1 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 2 Aug 2019 15:16:45 -0400 Subject: [PATCH 53/68] lint --- manager/manifests/istio-metrics.yaml | 1 - manager/manifests/istio-values.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index 47788cb8cc..fd3e69c356 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -123,4 +123,3 @@ spec: - cortex-request-count - cortex-response-time --- - diff --git a/manager/manifests/istio-values.yaml b/manager/manifests/istio-values.yaml index 5d5fb8c675..794f1a2ce3 100644 --- a/manager/manifests/istio-values.yaml +++ b/manager/manifests/istio-values.yaml @@ -129,4 +129,3 @@ global: image: $CORTEX_IMAGE_ISTIO_PROXY proxy_init: image: $CORTEX_IMAGE_ISTIO_PROXY_INIT - From fd9dfde2827f420640558c73fc36ac97bdaa8a71 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Fri, 2 Aug 2019 16:26:53 -0400 Subject: [PATCH 54/68] remove error --- examples/iris/cortex.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/iris/cortex.yaml b/examples/iris/cortex.yaml index 5620e17fa7..db0f730f58 100644 --- a/examples/iris/cortex.yaml +++ b/examples/iris/cortex.yaml @@ -15,7 +15,7 @@ model: s3://cortex-examples/iris/xgboost.onnx request_handler: handlers/xgboost.py -- kind: apir +- kind: api name: sklearn model: s3://cortex-examples/iris/sklearn.onnx request_handler: handlers/sklearn.py From 74a97aa2c4fc7bb0dd450749120c304239030c85 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 11:19:56 -0400 Subject: [PATCH 55/68] undo leftover changes --- cortex.sh | 1 - pkg/operator/workloads/api_workload.go | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/cortex.sh b/cortex.sh index 42ac0f8852..10daa034e8 100755 --- a/cortex.sh +++ b/cortex.sh @@ -174,7 +174,6 @@ function install_cortex() { docker run -it --entrypoint /root/install_cortex.sh \ -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ - -e ISTIO_HUB=$ISTIO_HUB \ -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ -e CORTEX_REGION=$CORTEX_REGION \ -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ diff --git a/pkg/operator/workloads/api_workload.go b/pkg/operator/workloads/api_workload.go index c5c95ddd8b..8101258a2a 100644 --- a/pkg/operator/workloads/api_workload.go +++ b/pkg/operator/workloads/api_workload.go @@ -249,6 +249,7 @@ func tfAPISpec( tfServingResourceList["nvidia.com/gpu"] = *kresource.NewQuantity(api.Compute.GPU, kresource.DecimalSI) tfServingLimitsList["nvidia.com/gpu"] = *kresource.NewQuantity(api.Compute.GPU, kresource.DecimalSI) } + return k8s.Deployment(&k8s.DeploymentSpec{ Name: internalAPIName(api.Name, ctx.App.Name), Replicas: desiredReplicas, From 091c0144fddef8a5d92a5873a86855df7747e424 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 11:21:10 -0400 Subject: [PATCH 56/68] remove dev/cortex.sh --- dev/cortex.sh | 86 --------------------------------------------------- 1 file changed, 86 deletions(-) delete mode 100755 dev/cortex.sh diff --git a/dev/cortex.sh b/dev/cortex.sh deleted file mode 100755 index 2bc0ddd078..0000000000 --- a/dev/cortex.sh +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash - -# Copyright 2019 Cortex Labs, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. >/dev/null && pwd)" -PWD=$(pwd) -source $ROOT/dev/config/cortex.sh - - -function uninstall_cortex() { - $ROOT/dev/uninstall_cortex.sh \ - -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ - -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ - -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ - -e CORTEX_REGION=$CORTEX_REGION \ - -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ - $CORTEX_IMAGE_MANAGER -} - -function info() { - docker run -it --entrypoint ./info.sh \ - -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ - -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ - -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ - -e CORTEX_REGION=$CORTEX_REGION \ - -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ - $CORTEX_IMAGE_MANAGER -} - - -function install_cortex() { - docker run -it --entrypoint ./install_cortex.sh \ - -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ - -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ - -e CORTEX_CLUSTER=$CORTEX_CLUSTER \ - -e CORTEX_REGION=$CORTEX_REGION \ - -e CORTEX_NAMESPACE=$CORTEX_NAMESPACE \ - -e CORTEX_NODE_TYPE=$CORTEX_NODE_TYPE \ - -e CORTEX_LOG_GROUP=$CORTEX_LOG_GROUP \ - -e CORTEX_BUCKET=$CORTEX_BUCKET \ - -e CORTEX_IMAGE_FLUENTD=$CORTEX_IMAGE_FLUENTD \ - -e CORTEX_IMAGE_OPERATOR=$CORTEX_IMAGE_OPERATOR \ - -e CORTEX_IMAGE_SPARK=$CORTEX_IMAGE_SPARK \ - -e CORTEX_IMAGE_SPARK_OPERATOR=$CORTEX_IMAGE_SPARK_OPERATOR \ - -e CORTEX_IMAGE_TF_SERVE=$CORTEX_IMAGE_TF_SERVE \ - -e CORTEX_IMAGE_TF_TRAIN=$CORTEX_IMAGE_TF_TRAIN \ - -e CORTEX_IMAGE_TF_API=$CORTEX_IMAGE_TF_API \ - -e CORTEX_IMAGE_PYTHON_PACKAGER=$CORTEX_IMAGE_PYTHON_PACKAGER \ - -e CORTEX_IMAGE_TF_SERVE_GPU=$CORTEX_IMAGE_TF_SERVE_GPU \ - -e CORTEX_IMAGE_TF_TRAIN_GPU=$CORTEX_IMAGE_TF_TRAIN_GPU \ - -e CORTEX_IMAGE_ONNX_SERVE=$CORTEX_IMAGE_ONNX_SERVE \ - -e CORTEX_IMAGE_ONNX_SERVE_GPU=$CORTEX_IMAGE_ONNX_SERVE_GPU \ - -e CORTEX_IMAGE_CLUSTER_AUTOSCALER=$CORTEX_IMAGE_CLUSTER_AUTOSCALER \ - -e CORTEX_IMAGE_NVIDIA=$CORTEX_IMAGE_NVIDIA \ - -e CORTEX_IMAGE_METRICS_SERVER=$CORTEX_IMAGE_METRICS_SERVER \ - -e CORTEX_IMAGE_ISTIO_CITADEL=$CORTEX_IMAGE_ISTIO_CITADEL \ - -e CORTEX_IMAGE_ISTIO_GALLEY=$CORTEX_IMAGE_ISTIO_GALLEY \ - -e CORTEX_IMAGE_ISTIO_SIDECAR=$CORTEX_IMAGE_ISTIO_SIDECAR \ - -e CORTEX_IMAGE_ISTIO_PILOT=$CORTEX_IMAGE_ISTIO_PILOT \ - -e CORTEX_IMAGE_ISTIO_PROXY=$CORTEX_IMAGE_ISTIO_PROXY \ - -e CORTEX_IMAGE_ISTIO_PROXY_INIT=$CORTEX_IMAGE_ISTIO_PROXY_INIT \ - -e CORTEX_IMAGE_ISTIO_MIXER=$CORTEX_IMAGE_ISTIO_MIXER \ - -e CORTEX_ENABLE_TELEMETRY=$CORTEX_ENABLE_TELEMETRY \ - $CORTEX_IMAGE_MANAGER -} - -cd $ROOT/manager -arg1=${1:-""} -if [ "$arg1" = "install" ]; then - install_cortex && info -elif [ "$arg1" = "uninstall" ]; then - uninstall_cortex -fi -cd $PWD From c7f4802496ee68af4d85e7955a515134e2989c60 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 11:22:10 -0400 Subject: [PATCH 57/68] remove json indirect dep --- go.mod | 1 - go.sum | 2 -- 2 files changed, 3 deletions(-) diff --git a/go.mod b/go.mod index a9e8008d6c..902fd7445a 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,6 @@ require ( github.com/gorilla/mux v1.7.3 github.com/gorilla/websocket v1.4.0 github.com/imdario/mergo v0.3.7 // indirect - github.com/json-iterator/go v1.1.6 // indirect github.com/mitchellh/go-homedir v1.1.0 github.com/pkg/errors v0.8.1 github.com/spf13/cobra v0.0.5 diff --git a/go.sum b/go.sum index 75719433b2..36fb0e3dc2 100644 --- a/go.sum +++ b/go.sum @@ -52,8 +52,6 @@ github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5i github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be h1:AHimNtVIpiBjPUhEF5KNCkrUyqTSA5zWUl8sQ2bfGBE= github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= -github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= From 8b981a7e1e9fcf3739749946f2f0cc1dc479df84 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 12:27:25 -0400 Subject: [PATCH 58/68] track requests --- manager/install_cortex.sh | 4 +++- manager/manifests/istio-metrics.yaml | 25 ------------------------- 2 files changed, 3 insertions(+), 26 deletions(-) diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index c48620027a..002dad964f 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -97,8 +97,10 @@ function setup_istio() { done echo -n "." - envsubst < manifests/istio.yaml | helm template istio-manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - >/dev/null + envsubst < manifests/istio-values.yaml | helm template istio-manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - >/dev/null envsubst < manifests/istio-metrics.yaml | kubectl apply -f - >/dev/null + kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "AWS_ACCESS_KEY_ID", "valueFrom": {"secretKeyRef": {"name": "aws-credentials", "key": AWS_ACCESS_KEY_ID}}}}]' + kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "AWS_SECRET_ACCESS_KEY", "valueFrom": {"secretKeyRef": {"name": "aws-credentials", "key": AWS_SECRET_ACCESS_KEY}}}}]' } function validate_cortex() { diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index fd3e69c356..672c00365e 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -35,25 +35,6 @@ spec: monitoredResourceType: '"UNSPECIFIED"' --- apiVersion: config.istio.io/v1alpha2 -kind: instance -metadata: - name: cortex-response-time - namespace: $CORTEX_NAMESPACE -spec: - compiledTemplate: metric - params: - value: response.duration - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "client", "server") - source_service: source.workload.name | "unknown" - namespace: source.namespace | "unknown" - path: request.url_path | "unknown" - origin_ip: origin.ip - response_duration: response.duration - request_time: request.time - monitoredResourceType: '"UNSPECIFIED"' ---- -apiVersion: config.istio.io/v1alpha2 kind: handler metadata: name: cortex-request-handler @@ -67,8 +48,6 @@ spec: metricInfo: cortex-request-count.instance.cortex: unit: Count - cortex-response-time.instance.cortex: - unit: Milliseconds logs: {} --- apiVersion: config.istio.io/v1alpha2 @@ -82,7 +61,6 @@ spec: - handler: cortex-request-handler instances: - cortex-request-count - - cortex-response-time --- apiVersion: config.istio.io/v1alpha2 kind: rule @@ -95,7 +73,6 @@ spec: - handler: cortex-request-handler instances: - cortex-request-count - - cortex-response-time --- apiVersion: config.istio.io/v1alpha2 kind: rule @@ -108,7 +85,6 @@ spec: - handler: cortex-request-handler instances: - cortex-request-count - - cortex-response-time --- apiVersion: config.istio.io/v1alpha2 kind: rule @@ -121,5 +97,4 @@ spec: - handler: cortex-request-handler instances: - cortex-request-count - - cortex-response-time --- From 35b12584e1df68d9d50c8565b1bc167ec9b7b475 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 13:21:48 -0400 Subject: [PATCH 59/68] fix ordering --- pkg/lib/k8s/k8s.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/lib/k8s/k8s.go b/pkg/lib/k8s/k8s.go index ead5b7df99..46de5e1acb 100644 --- a/pkg/lib/k8s/k8s.go +++ b/pkg/lib/k8s/k8s.go @@ -90,8 +90,8 @@ func New(namespace string, inCluster bool) (*Client, error) { client.serviceClient = client.clientset.CoreV1().Services(namespace) client.configMapClient = client.clientset.CoreV1().ConfigMaps(namespace) client.deploymentClient = client.clientset.AppsV1().Deployments(namespace) - client.ingressClient = client.clientset.ExtensionsV1beta1().Ingresses(namespace) client.jobClient = client.clientset.BatchV1().Jobs(namespace) + client.ingressClient = client.clientset.ExtensionsV1beta1().Ingresses(namespace) client.hpaClient = client.clientset.AutoscalingV2beta2().HorizontalPodAutoscalers(namespace) return client, nil } From 7a0390978d0a17f50d6f55daf6eada07c919986a Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 16:13:51 -0400 Subject: [PATCH 60/68] clean up metrics --- manager/manifests/istio-metrics.yaml | 69 ++++++++++------------------ 1 file changed, 24 insertions(+), 45 deletions(-) diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index 672c00365e..513cff240e 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -24,14 +24,26 @@ spec: params: value: "1" dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "client", "server") - source_service: source.workload.name | "unknown" - namespace: source.namespace | "unknown" - path: request.url_path | "unknown" - origin_ip: origin.ip - response_duration: response.duration - response_code: response.code - request_time: request.time + API_ID: source.uid | "unknown" + APP_NAME: source.labels["appName"] | "unknown" + API_NAME: source.labels["apiName"] | "unknown" + WORKLOAD_TYPE: source.labels["workloadType"] | "unknown" + monitoredResourceType: '"UNSPECIFIED"' +--- +apiVersion: config.istio.io/v1alpha2 +kind: instance +metadata: + name: cortex-response-time + namespace: $CORTEX_NAMESPACE +spec: + compiledTemplate: metric + params: + value: response.duration + dimensions: + API_ID: source.uid | "unknown" + APP_NAME: source.labels["appName"] | "unknown" + API_NAME: source.labels["apiName"] | "unknown" + WORKLOAD_TYPE: source.labels["workloadType"] | "unknown" monitoredResourceType: '"UNSPECIFIED"' --- apiVersion: config.istio.io/v1alpha2 @@ -48,24 +60,14 @@ spec: metricInfo: cortex-request-count.instance.cortex: unit: Count + cortex-response-time.instance.cortex: + unit: Milliseconds logs: {} --- apiVersion: config.istio.io/v1alpha2 kind: rule metadata: - name: cortex-operator-requests - namespace: $CORTEX_NAMESPACE -spec: - match: source.workload.name == "operator-ingressgateway" - actions: - - handler: cortex-request-handler - instances: - - cortex-request-count ---- -apiVersion: config.istio.io/v1alpha2 -kind: rule -metadata: - name: cortex-apis-requests + name: cortex-api-requests namespace: $CORTEX_NAMESPACE spec: match: source.workload.name == "apis-ingressgateway" @@ -73,28 +75,5 @@ spec: - handler: cortex-request-handler instances: - cortex-request-count ---- -apiVersion: config.istio.io/v1alpha2 -kind: rule -metadata: - name: cortex-apis-errors - namespace: $CORTEX_NAMESPACE -spec: - match: source.workload.name == "apis-ingressgateway" && response.code >= 400 - actions: - - handler: cortex-request-handler - instances: - - cortex-request-count ---- -apiVersion: config.istio.io/v1alpha2 -kind: rule -metadata: - name: cortex-operator-errors - namespace: $CORTEX_NAMESPACE -spec: - match: source.workload.name == "operator-ingressgateway" && response.code >= 400 - actions: - - handler: cortex-request-handler - instances: - - cortex-request-count + - cortex-response-time --- From 770a11f5d0f428539659937fc5da7bc04e619ff2 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 16:20:22 -0400 Subject: [PATCH 61/68] remove api ID --- manager/manifests/istio-metrics.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index 513cff240e..1a961ac3c0 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -24,7 +24,6 @@ spec: params: value: "1" dimensions: - API_ID: source.uid | "unknown" APP_NAME: source.labels["appName"] | "unknown" API_NAME: source.labels["apiName"] | "unknown" WORKLOAD_TYPE: source.labels["workloadType"] | "unknown" @@ -40,7 +39,6 @@ spec: params: value: response.duration dimensions: - API_ID: source.uid | "unknown" APP_NAME: source.labels["appName"] | "unknown" API_NAME: source.labels["apiName"] | "unknown" WORKLOAD_TYPE: source.labels["workloadType"] | "unknown" From c7ad6a6976086d501d94a4c06dff70426d82625d Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 16:20:57 -0400 Subject: [PATCH 62/68] remove workloadType --- manager/manifests/istio-metrics.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index 1a961ac3c0..95cf202902 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -26,7 +26,6 @@ spec: dimensions: APP_NAME: source.labels["appName"] | "unknown" API_NAME: source.labels["apiName"] | "unknown" - WORKLOAD_TYPE: source.labels["workloadType"] | "unknown" monitoredResourceType: '"UNSPECIFIED"' --- apiVersion: config.istio.io/v1alpha2 @@ -41,7 +40,6 @@ spec: dimensions: APP_NAME: source.labels["appName"] | "unknown" API_NAME: source.labels["apiName"] | "unknown" - WORKLOAD_TYPE: source.labels["workloadType"] | "unknown" monitoredResourceType: '"UNSPECIFIED"' --- apiVersion: config.istio.io/v1alpha2 From a7799009573d36b3258a76f8dbaa12c2811c5c28 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 16:49:42 -0400 Subject: [PATCH 63/68] record response time from ingress --- manager/manifests/istio-metrics.yaml | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index 95cf202902..a29a2f531c 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -16,20 +16,6 @@ # to a client apiVersion: config.istio.io/v1alpha2 kind: instance -metadata: - name: cortex-request-count - namespace: $CORTEX_NAMESPACE -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - APP_NAME: source.labels["appName"] | "unknown" - API_NAME: source.labels["apiName"] | "unknown" - monitoredResourceType: '"UNSPECIFIED"' ---- -apiVersion: config.istio.io/v1alpha2 -kind: instance metadata: name: cortex-response-time namespace: $CORTEX_NAMESPACE @@ -38,8 +24,9 @@ spec: params: value: response.duration dimensions: - APP_NAME: source.labels["appName"] | "unknown" - API_NAME: source.labels["apiName"] | "unknown" + SOURCE_NAME: source.workload.name | "unknown" + REQUEST_PATH: request.url_path | "unknown" + DESTINATION_NAME: destination.service.name | "unknown" monitoredResourceType: '"UNSPECIFIED"' --- apiVersion: config.istio.io/v1alpha2 @@ -54,8 +41,6 @@ spec: logGroupName: $CORTEX_LOG_GROUP logStreamName: $CORTEX_LOG_GROUP metricInfo: - cortex-request-count.instance.cortex: - unit: Count cortex-response-time.instance.cortex: unit: Milliseconds logs: {} @@ -70,6 +55,5 @@ spec: actions: - handler: cortex-request-handler instances: - - cortex-request-count - cortex-response-time --- From 60cf44c685683b17220402b994ec502893bb7a9a Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 16:50:40 -0400 Subject: [PATCH 64/68] remove istio.yaml --- manager/manifests/istio.yaml | 125 ----------------------------------- 1 file changed, 125 deletions(-) delete mode 100644 manager/manifests/istio.yaml diff --git a/manager/manifests/istio.yaml b/manager/manifests/istio.yaml deleted file mode 100644 index 44e83d7406..0000000000 --- a/manager/manifests/istio.yaml +++ /dev/null @@ -1,125 +0,0 @@ -# Copyright 2019 Cortex Labs, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -gateways: - enabled: true - istio-ingressgateway: - enabled: false - operator-ingressgateway: - namespace: istio-system - enabled: true - labels: - app: operator-istio-gateway - istio: operator-ingressgateway - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - name: http2 - - port: 443 - name: https - - port: 31400 - name: tcp - - port: 15011 - targetPort: 15011 - name: tcp-pilot-grpc-tls - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - secretVolumes: - - name: customgateway-certs - secretName: istio-customgateway-certs - mountPath: /etc/istio/customgateway-certs - - name: customgateway-ca-certs - secretName: istio-customgateway-ca-certs - mountPath: /etc/istio/customgateway-ca-certs - apis-ingressgateway: - namespace: istio-system - enabled: true - labels: - app: apis-istio-gateway - istio: apis-ingressgateway - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - name: http2 - - port: 443 - name: https - - port: 31400 - name: tcp - - port: 15011 - targetPort: 15011 - name: tcp-pilot-grpc-tls - - port: 8060 - targetPort: 8060 - name: tcp-citadel-grpc-tls - secretVolumes: - - name: customgateway-certs - secretName: istio-customgateway-certs - mountPath: /etc/istio/customgateway-certs - - name: customgateway-ca-certs - secretName: istio-customgateway-ca-certs - mountPath: /etc/istio/customgateway-ca-certs - -sidecarInjectorWebhook: - enabled: true - image: $CORTEX_IMAGE_ISTIO_SIDECAR - alwaysInjectSelector: - - matchLabels: - workloadType: api - - matchLabels: - workloadType: operator - -galley: - image: $CORTEX_IMAGE_ISTIO_GALLEY - enabled: true - -mixer: - image: $CORTEX_IMAGE_ISTIO_MIXER - policy: - enabled: true - - telemetry: - enabled: true - -pilot: - image: $CORTEX_IMAGE_ISTIO_PILOT - enabled: true - -security: - image: $CORTEX_IMAGE_ISTIO_CITADEL - enabled: true - -nodeagent: - enabled: false - -grafana: - enabled: false - -prometheus: - enabled: false - -tracing: - enabled: false - -kiali: - enabled: false - -global: - proxy: - autoInject: disabled - image: $CORTEX_IMAGE_ISTIO_PROXY - proxy_init: - image: $CORTEX_IMAGE_ISTIO_PROXY_INIT From 3c71bbb8808b38c8c0211b28c003b69582b8f086 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Mon, 5 Aug 2019 17:31:59 -0400 Subject: [PATCH 65/68] clean up --- manager/install_cortex.sh | 6 ++++-- manager/manifests/istio-values.yaml | 3 --- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 002dad964f..23639008ee 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -99,8 +99,10 @@ function setup_istio() { echo -n "." envsubst < manifests/istio-values.yaml | helm template istio-manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - >/dev/null envsubst < manifests/istio-metrics.yaml | kubectl apply -f - >/dev/null - kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "AWS_ACCESS_KEY_ID", "valueFrom": {"secretKeyRef": {"name": "aws-credentials", "key": AWS_ACCESS_KEY_ID}}}}]' - kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "AWS_SECRET_ACCESS_KEY", "valueFrom": {"secretKeyRef": {"name": "aws-credentials", "key": AWS_SECRET_ACCESS_KEY}}}}]' + kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "AWS_ACCESS_KEY_ID", "valueFrom": {"secretKeyRef": {"name": "aws-credentials", "key": AWS_ACCESS_KEY_ID}}}}]' >/dev/null + kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "AWS_SECRET_ACCESS_KEY", "valueFrom": {"secretKeyRef": {"name": "aws-credentials", "key": AWS_SECRET_ACCESS_KEY}}}}]' >/dev/null + kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/volumes/-", "value": {"name": "cortex-config", "configMap": {"name": "cortex-config"}}}]' >/dev/null + kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/-", "value": {"name": "cortex-config", "mountPath": "/configs/cortex"}}]' >/dev/null } function validate_cortex() { diff --git a/manager/manifests/istio-values.yaml b/manager/manifests/istio-values.yaml index 794f1a2ce3..c59cff806f 100644 --- a/manager/manifests/istio-values.yaml +++ b/manager/manifests/istio-values.yaml @@ -87,7 +87,6 @@ galley: enabled: true mixer: - useAdapterCRDs: true image: $CORTEX_IMAGE_ISTIO_MIXER policy: enabled: true @@ -97,8 +96,6 @@ mixer: env: AWS_REGION: $CORTEX_REGION LOG_GROUP_NAME: $CORTEX_LOG_GROUP - AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY pilot: image: $CORTEX_IMAGE_ISTIO_PILOT From 0189836d3091ac84ad849f8eb532abc8948bec04 Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Tue, 6 Aug 2019 15:45:48 -0400 Subject: [PATCH 66/68] address comments and fix secrets bug --- manager/install_cortex.sh | 13 +++++++++---- manager/manifests/istio-metrics.yaml | 11 +++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 23639008ee..f06db505e2 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -99,10 +99,15 @@ function setup_istio() { echo -n "." envsubst < manifests/istio-values.yaml | helm template istio-manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - >/dev/null envsubst < manifests/istio-metrics.yaml | kubectl apply -f - >/dev/null - kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "AWS_ACCESS_KEY_ID", "valueFrom": {"secretKeyRef": {"name": "aws-credentials", "key": AWS_ACCESS_KEY_ID}}}}]' >/dev/null - kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "AWS_SECRET_ACCESS_KEY", "valueFrom": {"secretKeyRef": {"name": "aws-credentials", "key": AWS_SECRET_ACCESS_KEY}}}}]' >/dev/null - kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/volumes/-", "value": {"name": "cortex-config", "configMap": {"name": "cortex-config"}}}]' >/dev/null - kubectl patch deployment istio-policy -n istio-system --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/-", "value": {"name": "cortex-config", "mountPath": "/configs/cortex"}}]' >/dev/null + istio_patch="[ + {\"op\": \"add\", \"path\": \"/spec/template/spec/containers/0/env/-\", \"value\": {\"name\": \"AWS_ACCESS_KEY_ID\", \"valueFrom\": {\"secretKeyRef\": {\"name\": \"aws-credentials\", \"key\": \"AWS_ACCESS_KEY_ID\"}}}},\ + {\"op\": \"add\", \"path\": \"/spec/template/spec/containers/0/env/-\", \"value\": {\"name\": \"AWS_SECRET_ACCESS_KEY\", \"valueFrom\": {\"secretKeyRef\": {\"name\": \"aws-credentials\", \"key\": \"AWS_SECRET_ACCESS_KEY\"}}}},\ + ]" + kubectl -n=istio-system create secret generic 'aws-credentials' \ + --from-literal='AWS_ACCESS_KEY_ID'=$AWS_ACCESS_KEY_ID \ + --from-literal='AWS_SECRET_ACCESS_KEY'=$AWS_SECRET_ACCESS_KEY \ + -o yaml --dry-run | kubectl apply -f - >/dev/null + kubectl patch deployment istio-telemetry -n istio-system --type='json' -p="$istio_patch" } function validate_cortex() { diff --git a/manager/manifests/istio-metrics.yaml b/manager/manifests/istio-metrics.yaml index a29a2f531c..def8b358f2 100644 --- a/manager/manifests/istio-metrics.yaml +++ b/manager/manifests/istio-metrics.yaml @@ -12,22 +12,17 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Configuration for a metric measuring bytes sent from a server -# to a client apiVersion: config.istio.io/v1alpha2 kind: instance metadata: - name: cortex-response-time + name: response-time namespace: $CORTEX_NAMESPACE spec: compiledTemplate: metric params: value: response.duration dimensions: - SOURCE_NAME: source.workload.name | "unknown" REQUEST_PATH: request.url_path | "unknown" - DESTINATION_NAME: destination.service.name | "unknown" - monitoredResourceType: '"UNSPECIFIED"' --- apiVersion: config.istio.io/v1alpha2 kind: handler @@ -41,7 +36,7 @@ spec: logGroupName: $CORTEX_LOG_GROUP logStreamName: $CORTEX_LOG_GROUP metricInfo: - cortex-response-time.instance.cortex: + response-time.instance.cortex: unit: Milliseconds logs: {} --- @@ -55,5 +50,5 @@ spec: actions: - handler: cortex-request-handler instances: - - cortex-response-time + - response-time --- From 851c82fe1f4ba9318935803fbd6449ad0394144c Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Tue, 6 Aug 2019 21:37:38 -0400 Subject: [PATCH 67/68] address comments --- manager/install_cortex.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 731487c6fe..3f76bd837f 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -95,19 +95,18 @@ function setup_istio() { echo -n "." sleep 5 done - - helm template istio-manifests/istio-cni --name istio-cni --namespace kube-system | kubectl apply -f - >/dev/null echo -n "." + helm template istio-manifests/istio-cni --name istio-cni --namespace kube-system | kubectl apply -f - >/dev/null envsubst < manifests/istio-values.yaml | helm template istio-manifests/istio --values - --name istio --namespace istio-system | kubectl apply -f - >/dev/null envsubst < manifests/istio-metrics.yaml | kubectl apply -f - >/dev/null + kubectl -n=istio-system create secret generic 'aws-credentials' \ + --from-literal='AWS_ACCESS_KEY_ID'=$AWS_ACCESS_KEY_ID \ + --from-literal='AWS_SECRET_ACCESS_KEY'=$AWS_SECRET_ACCESS_KEY \ + -o yaml --dry-run | kubectl apply -f - >/dev/nulls istio_patch="[ {\"op\": \"add\", \"path\": \"/spec/template/spec/containers/0/env/-\", \"value\": {\"name\": \"AWS_ACCESS_KEY_ID\", \"valueFrom\": {\"secretKeyRef\": {\"name\": \"aws-credentials\", \"key\": \"AWS_ACCESS_KEY_ID\"}}}},\ {\"op\": \"add\", \"path\": \"/spec/template/spec/containers/0/env/-\", \"value\": {\"name\": \"AWS_SECRET_ACCESS_KEY\", \"valueFrom\": {\"secretKeyRef\": {\"name\": \"aws-credentials\", \"key\": \"AWS_SECRET_ACCESS_KEY\"}}}},\ ]" - kubectl -n=istio-system create secret generic 'aws-credentials' \ - --from-literal='AWS_ACCESS_KEY_ID'=$AWS_ACCESS_KEY_ID \ - --from-literal='AWS_SECRET_ACCESS_KEY'=$AWS_SECRET_ACCESS_KEY \ - -o yaml --dry-run | kubectl apply -f - >/dev/null kubectl patch deployment istio-telemetry -n istio-system --type='json' -p="$istio_patch" } From 61c3622fe912c984e5125c4d1a30b53065dc0b3c Mon Sep 17 00:00:00 2001 From: Ivan Zhang Date: Tue, 6 Aug 2019 22:26:23 -0400 Subject: [PATCH 68/68] nulls -> null --- manager/install_cortex.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manager/install_cortex.sh b/manager/install_cortex.sh index 3f76bd837f..ffadb86c81 100755 --- a/manager/install_cortex.sh +++ b/manager/install_cortex.sh @@ -102,7 +102,7 @@ function setup_istio() { kubectl -n=istio-system create secret generic 'aws-credentials' \ --from-literal='AWS_ACCESS_KEY_ID'=$AWS_ACCESS_KEY_ID \ --from-literal='AWS_SECRET_ACCESS_KEY'=$AWS_SECRET_ACCESS_KEY \ - -o yaml --dry-run | kubectl apply -f - >/dev/nulls + -o yaml --dry-run | kubectl apply -f - >/dev/null istio_patch="[ {\"op\": \"add\", \"path\": \"/spec/template/spec/containers/0/env/-\", \"value\": {\"name\": \"AWS_ACCESS_KEY_ID\", \"valueFrom\": {\"secretKeyRef\": {\"name\": \"aws-credentials\", \"key\": \"AWS_ACCESS_KEY_ID\"}}}},\ {\"op\": \"add\", \"path\": \"/spec/template/spec/containers/0/env/-\", \"value\": {\"name\": \"AWS_SECRET_ACCESS_KEY\", \"valueFrom\": {\"secretKeyRef\": {\"name\": \"aws-credentials\", \"key\": \"AWS_SECRET_ACCESS_KEY\"}}}},\