diff --git a/crds/files/crd-12.yaml b/crds/files/crd-12.yaml deleted file mode 100644 index 2b73a220671e..000000000000 --- a/crds/files/crd-12.yaml +++ /dev/null @@ -1,26 +0,0 @@ -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: authorizationpolicies.rbac.istio.io - labels: - app: istio-pilot - istio: rbac - heritage: Tiller - release: istio -spec: - group: rbac.istio.io - names: - kind: AuthorizationPolicy - plural: authorizationpolicies - singular: authorizationpolicy - categories: - - istio-io - - rbac-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha1 - served: true - storage: true ---- diff --git a/crds/kustomization.yaml b/crds/kustomization.yaml index 395c8f09fed5..7b263a241e34 100644 --- a/crds/kustomization.yaml +++ b/crds/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization resources: - files/crd-10.yaml - files/crd-11.yaml - - files/crd-12.yaml - files/crd-14.yaml - files/crd-certmanager-10.yaml - files/crd-certmanager-11.yaml diff --git a/crds/templates/crds.yaml b/crds/templates/crds.yaml index 1551730450e8..8f2de77450c6 100644 --- a/crds/templates/crds.yaml +++ b/crds/templates/crds.yaml @@ -1,6 +1,5 @@ {{ .Files.Get "files/crd-10.yaml" }} {{ .Files.Get "files/crd-11.yaml" }} -{{ .Files.Get "files/crd-12.yaml" }} {{ .Files.Get "files/crd-14.yaml" }} {{- if .Values.certmanager }} {{- if .Values.certmanager.enabled }} diff --git a/gateways/istio-egress/templates/deployment.yaml b/gateways/istio-egress/templates/deployment.yaml index e28a7deadf60..ab9c7ec34ec7 100644 --- a/gateways/istio-egress/templates/deployment.yaml +++ b/gateways/istio-egress/templates/deployment.yaml @@ -1,12 +1,12 @@ {{ $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- $labels := (dict "app" "istio-egressgateway" "istio" "egressgateway") }} apiVersion: apps/v1 kind: Deployment metadata: name: istio-egressgateway namespace: {{ .Release.Namespace }} labels: - app: istio-egressgateway - istio: egressgateway +{{ $labels | toYaml | indent 4 }} release: {{ .Release.Name }} spec: {{- if not $gateway.autoscaleEnabled }} @@ -25,8 +25,7 @@ spec: template: metadata: labels: - app: istio-egressgateway - istio: egressgateway +{{ $labels | toYaml | indent 8 }} {{- if eq .Release.Namespace "istio-system"}} heritage: Tiller release: istio @@ -182,6 +181,13 @@ spec: value: istio-egressgateway - name: ISTIO_META_OWNER value: kubernetes://api/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/istio-egressgateway + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if $.Values.global.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.trustDomain }}" + {{- end }} - name: ISTIO_META_POD_NAME valueFrom: fieldRef: @@ -208,6 +214,13 @@ spec: value: | {{ toJson $gateway.podAnnotations | indent 16}} {{ end }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ $labels | toJson }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" volumeMounts: {{ if .Values.global.sds.enabled }} - name: sdsudspath diff --git a/gateways/istio-egress/values.yaml b/gateways/istio-egress/values.yaml index 31afee759a9f..ac2b13d63bbd 100644 --- a/gateways/istio-egress/values.yaml +++ b/gateways/istio-egress/values.yaml @@ -37,7 +37,7 @@ gateways: memory: 128Mi limits: cpu: 2000m - memory: 256Mi + memory: 1024Mi cpu: targetAverageUtilization: 80 diff --git a/gateways/istio-ingress/templates/deployment.yaml b/gateways/istio-ingress/templates/deployment.yaml index b8fb7f5dd8b6..9cffe26efbb0 100644 --- a/gateways/istio-ingress/templates/deployment.yaml +++ b/gateways/istio-ingress/templates/deployment.yaml @@ -1,12 +1,12 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- $labels := (dict "app" "istio-ingressgateway" "istio" "ingressgateway") }} apiVersion: apps/v1 kind: Deployment metadata: name: istio-ingressgateway namespace: {{ .Release.Namespace }} labels: - app: istio-ingressgateway - istio: ingressgateway +{{ $labels | toYaml | indent 4 }} release: {{ .Release.Name }} spec: {{- if not $gateway.autoscaleEnabled }} @@ -25,8 +25,7 @@ spec: template: metadata: labels: - app: istio-ingressgateway - istio: ingressgateway +{{ $labels | toYaml | indent 8 }} {{- if eq .Release.Namespace "istio-system"}} heritage: Tiller release: istio @@ -226,6 +225,13 @@ spec: value: istio-ingressgateway - name: ISTIO_META_OWNER value: kubernetes://api/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/istio-ingressgateway + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if $.Values.global.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.trustDomain }}" + {{- end }} - name: ISTIO_META_POD_NAME valueFrom: fieldRef: @@ -253,6 +259,13 @@ spec: value: | {{ toJson $gateway.podAnnotations | indent 16}} {{ end }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ $labels | toJson }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" volumeMounts: {{ if .Values.global.sds.enabled }} - name: sdsudspath diff --git a/gateways/istio-ingress/templates/preconfigured.yaml b/gateways/istio-ingress/templates/preconfigured.yaml index 32f28efe547b..a144d97d7131 100644 --- a/gateways/istio-ingress/templates/preconfigured.yaml +++ b/gateways/istio-ingress/templates/preconfigured.yaml @@ -25,8 +25,8 @@ spec: name: https-default tls: mode: SIMPLE - serverCertificate: /etc/istio/ingress-certs/tls.crt - privateKey: /etc/istio/ingress-certs/tls.key + serverCertificate: /etc/istio/ingressgateway-certs/tls.crt + privateKey: /etc/istio/ingressgateway-certs/tls.key hosts: - "*" {{ end }} diff --git a/global.yaml b/global.yaml index d65a9f596932..1f4d70a81dc6 100644 --- a/global.yaml +++ b/global.yaml @@ -120,7 +120,7 @@ global: # the specified period, defaulting to non mTLS plain TCP # traffic. Set this field to tweak the period that Envoy will wait # for the client to send the first bits of data. (MUST BE >=1ms) - protocolDetectionTimeout: 1s + protocolDetectionTimeout: 100ms #If set to true, istio-proxy container will have privileged securityContext privileged: false @@ -205,7 +205,7 @@ global: proxy_init: # Base name for the proxy_init container, used to configure iptables. - image: proxy_init + image: proxyv2 resources: limits: cpu: 100m @@ -327,6 +327,9 @@ global: # talk to one another. All clusters should be using Istio mTLS and must # have a shared root CA for this model to work. enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" # A minimal set of requested resources to applied to all deployments so that # Horizontal Pod Autoscaler will be able to function (if set). @@ -418,6 +421,12 @@ global: # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. enabled: false udsPath: "" + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + # Configure the mesh networks to be used by the Split Horizon EDS. # diff --git a/istio-control/istio-autoinject/files/injection-template.yaml b/istio-control/istio-autoinject/files/injection-template.yaml index c03a337eed58..b1867767b013 100644 --- a/istio-control/istio-autoinject/files/injection-template.yaml +++ b/istio-control/istio-autoinject/files/injection-template.yaml @@ -10,7 +10,8 @@ template: | {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - args: + command: + - istio-iptables - "-p" - 15001 - "-z" @@ -189,6 +190,25 @@ template: | valueFrom: fieldRef: fieldPath: status.hostIP + {{- if eq .Values.global.proxy.tracer "datadog" }} + {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- end }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{if or (ne $index1 0) (ne $index2 0)}},{{end}}{{ structToJSON $p }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_POD_NAME valueFrom: fieldRef: @@ -197,6 +217,8 @@ template: | valueFrom: fieldRef: fieldPath: metadata.namespace + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - name: ISTIO_META_INCLUDE_INBOUND_PORTS @@ -336,7 +358,7 @@ template: | - serviceAccountToken: path: istio-token expirationSeconds: 43200 - audience: {{ .Values.global.trustDomain }} + audience: {{ .Values.global.sds.token.aud }} {{- if .Values.global.sds.customTokenDirectory }} - name: custom-sds-token secret: diff --git a/istio-control/istio-autoinject/templates/deployment.yaml b/istio-control/istio-autoinject/templates/deployment.yaml index b35b88988a17..8ad9cd80c6ce 100644 --- a/istio-control/istio-autoinject/templates/deployment.yaml +++ b/istio-control/istio-autoinject/templates/deployment.yaml @@ -30,7 +30,6 @@ spec: {{- end }} annotations: sidecar.istio.io/inject: "false" - checksum/config-volume: {{ .Files.Get "files/injection-template.yaml" | sha256sum }} {{- if .Values.sidecarInjectorWebhook.podAnnotations }} {{ toYaml .Values.sidecarInjectorWebhook.podAnnotations | indent 8 }} {{- end }} diff --git a/istio-control/istio-autoinject/templates/sidecar-injector-configmap.yaml b/istio-control/istio-autoinject/templates/sidecar-injector-configmap.yaml index 5269e6076f1e..3e51e6fcdaeb 100644 --- a/istio-control/istio-autoinject/templates/sidecar-injector-configmap.yaml +++ b/istio-control/istio-autoinject/templates/sidecar-injector-configmap.yaml @@ -15,8 +15,13 @@ data: config: |- policy: {{ .Values.global.proxy.autoInject }} alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | indent 6 }} +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | indent 6 }} -{{ .Files.Get "files/injection-template.yaml" | indent 4 }} +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} +{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": "{{ $val }}" + {{- end }} + {{- end }} diff --git a/istio-control/istio-autoinject/values.yaml b/istio-control/istio-autoinject/values.yaml index 56382add7288..0d6588dc8a58 100644 --- a/istio-control/istio-autoinject/values.yaml +++ b/istio-control/istio-autoinject/values.yaml @@ -27,6 +27,20 @@ sidecarInjectorWebhook: tolerations: [] podAnnotations: {} + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + # If set, will use the value as injection label. The value must match the 'release' label of the injector, # except when 1.2 istio-injection label is used, which must be set to "enabled". injectLabel: istio-injection diff --git a/istio-control/istio-config/templates/deployment.yaml b/istio-control/istio-config/templates/deployment.yaml index 7c5ee5a1e3c5..f1fcba3f5c42 100644 --- a/istio-control/istio-config/templates/deployment.yaml +++ b/istio-control/istio-config/templates/deployment.yaml @@ -167,6 +167,8 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" resources: {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 12 }} diff --git a/istio-control/istio-discovery/templates/configmap.yaml b/istio-control/istio-discovery/templates/configmap.yaml index 1756073650d6..922b8e17ba91 100644 --- a/istio-control/istio-discovery/templates/configmap.yaml +++ b/istio-control/istio-discovery/templates/configmap.yaml @@ -10,10 +10,10 @@ data: meshNetworks: |- # Network config -{{ toYaml .Values.pilot.meshNetworks | indent 4 }} +{{ toYaml .Values.pilot.meshNetworks | trim | indent 4 }} values.yaml: |- -{{ toYaml .Values.pilot | indent 4 }} +{{ toYaml .Values.pilot | trim | indent 4 }} mesh: |- {{- if .Values.global.enableTracing }} @@ -36,6 +36,11 @@ data: reportBatchMaxTime: {{ .Values.mixer.telemetry.reportBatchMaxTime }} {{- end }} + {{- if .Values.mixer.telemetry.sessionAffinityEnabled }} + # sidecarToTelemetrySessionAffinity will create a STRICT_DNS type cluster for istio-telemetry. + sidecarToTelemetrySessionAffinity: {{ .Values.mixer.telemetry.sessionAffinityEnabled }} + {{- end }} + {{- if .Values.pilot.telemetry.enabled }} {{- if .Values.global.controlPlaneSecurityEnabled }} mixerReportServer: istio-telemetry.{{ .Values.global.telemetryNamespace }}.svc.cluster.local:15004 @@ -79,7 +84,7 @@ data: {{- if .Values.global.sds.enabled }} # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. - sdsUdsPath: {{ .Values.global.sds.udsPath }} + sdsUdsPath: {{ .Values.global.sds.udsPath | quote }} {{- else }} # Set expected values when SDS is disabled @@ -119,14 +124,14 @@ data: {{- if .Values.global.localityLbSetting.enabled }} localityLbSetting: -{{ toYaml .Values.global.localityLbSetting | indent 6 }} +{{ toYaml .Values.global.localityLbSetting | trim | indent 6 }} {{- end }} # Configures DNS certificates provisioned through Chiron linked into Pilot. # The DNS certificate provisioning is enabled by default now so it get tested. # TODO (lei-tang): we'll decide whether enable it by default or not before Istio 1.4 Release. certificates: -{{ toYaml .Values.global.certificates | indent 6 }} +{{ toYaml .Values.global.certificates | trim | indent 6 }} defaultConfig: # diff --git a/istio-control/istio-discovery/templates/deployment.yaml b/istio-control/istio-discovery/templates/deployment.yaml index 9e232b842751..30d954cb6936 100644 --- a/istio-control/istio-discovery/templates/deployment.yaml +++ b/istio-control/istio-discovery/templates/deployment.yaml @@ -128,11 +128,15 @@ spec: - name: APP_NAMESPACE value: {{ join "," .Values.pilot.appNamespaces }} {{- end }} + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" resources: {{- if .Values.pilot.resources }} -{{ toYaml .Values.pilot.resources | indent 12 }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} {{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} {{- end }} volumeMounts: - name: config-volume @@ -184,11 +188,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" resources: {{- if .Values.global.proxy.resources }} -{{ toYaml .Values.global.proxy.resources | indent 12 }} +{{ toYaml .Values.global.proxy.resources | trim | indent 12 }} {{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} {{- end }} volumeMounts: - name: istio-certs diff --git a/istio-control/istio-discovery/values.yaml b/istio-control/istio-discovery/values.yaml index 2db75fe753c3..caa5ff86427a 100644 --- a/istio-control/istio-discovery/values.yaml +++ b/istio-control/istio-discovery/values.yaml @@ -25,12 +25,16 @@ pilot: # Applications namespace list pilot manages appNamespaces: [] - env: - GODEBUG: gctrace=1 + env: {} cpu: targetAverageUtilization: 80 + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: false + nodeSelector: {} tolerations: [] podAnnotations: {} @@ -114,3 +118,5 @@ mixer: # A positive time value indicates the maximum wait time since the last request will telemetry data # be batched before being sent to the mixer server reportBatchMaxTime: 1s + + sessionAffinityEnabled: false diff --git a/istio-policy/templates/deployment.yaml b/istio-policy/templates/deployment.yaml index 3dd7a0278fa0..b310f35de653 100644 --- a/istio-policy/templates/deployment.yaml +++ b/istio-policy/templates/deployment.yaml @@ -200,6 +200,8 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" resources: {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 10 }} diff --git a/istio-policy/values.yaml b/istio-policy/values.yaml index 400e72277128..5302cafcfcd3 100644 --- a/istio-policy/values.yaml +++ b/istio-policy/values.yaml @@ -13,8 +13,7 @@ mixer: sessionAffinityEnabled: false podAnnotations: {} - env: - GODEBUG: gctrace=1 + env: {} adapters: useAdapterCRDs: false diff --git a/istio-telemetry/grafana/dashboards/galley-dashboard.json b/istio-telemetry/grafana/dashboards/galley-dashboard.json index d9cdf93d2583..92d6434c828c 100644 --- a/istio-telemetry/grafana/dashboards/galley-dashboard.json +++ b/istio-telemetry/grafana/dashboards/galley-dashboard.json @@ -1338,91 +1338,6 @@ "alignLevel": null } }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 35 - }, - "id": 16, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Kubernetes Object Conversion Successes", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Conversions/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, { "aliasColors": {}, "bars": false, diff --git a/istio-telemetry/grafana/templates/deployment.yaml b/istio-telemetry/grafana/templates/deployment.yaml index 7dee5445a8ed..49ec01c491c6 100644 --- a/istio-telemetry/grafana/templates/deployment.yaml +++ b/istio-telemetry/grafana/templates/deployment.yaml @@ -44,7 +44,7 @@ spec: - containerPort: 3000 readinessProbe: httpGet: - path: /login + path: /api/health port: 3000 env: - name: GRAFANA_PORT diff --git a/istio-telemetry/grafana/values.yaml b/istio-telemetry/grafana/values.yaml index faec364ec1d6..224af75f89d2 100644 --- a/istio-telemetry/grafana/values.yaml +++ b/istio-telemetry/grafana/values.yaml @@ -3,7 +3,7 @@ grafana: replicaCount: 1 image: repository: grafana/grafana - tag: 6.1.6 + tag: 6.3.6 persist: false storageClassName: "" accessMode: ReadWriteMany diff --git a/istio-telemetry/kiali/values.yaml b/istio-telemetry/kiali/values.yaml index 7d3173d476b7..8db0a4b56a6c 100644 --- a/istio-telemetry/kiali/values.yaml +++ b/istio-telemetry/kiali/values.yaml @@ -5,7 +5,7 @@ kiali: enabled: false # Note that if using the demo or demo-auth yaml when installing via Helm, this default will be `true`. replicaCount: 1 hub: docker.io/kiali - tag: v1.4.0 + tag: v1.4.2 image: kiali contextPath: /kiali # The root context path to access the Kiali UI. nodeSelector: {} @@ -58,6 +58,6 @@ kiali: createDemoSecret: true resources: {} security: - enabled: true + enabled: false cert_file: /kiali-cert/cert-chain.pem private_key_file: /kiali-cert/key.pem diff --git a/istio-telemetry/mixer-telemetry/templates/config.yaml b/istio-telemetry/mixer-telemetry/templates/config.yaml index c22e3902f94f..c963a3bfa798 100644 --- a/istio-telemetry/mixer-telemetry/templates/config.yaml +++ b/istio-telemetry/mixer-telemetry/templates/config.yaml @@ -241,7 +241,7 @@ spec: sourceOwner: source.owner | "" destinationApp: destination.labels["app"] | "" destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" + destinationServiceHost: destination.service.host | request.host | "" destinationWorkload: destination.workload.name | "" destinationName: destination.name | "" destinationNamespace: destination.namespace | "" @@ -373,7 +373,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" + destination_service: destination.service.host | request.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" @@ -408,7 +408,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" + destination_service: destination.service.host | request.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" @@ -443,7 +443,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" + destination_service: destination.service.host | request.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" @@ -478,7 +478,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" + destination_service: destination.service.host | request.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" @@ -513,7 +513,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" + destination_service: destination.service.host | request.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) @@ -544,7 +544,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" + destination_service: destination.service.host | request.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) @@ -575,7 +575,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" + destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) @@ -606,7 +606,7 @@ spec: destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.name | "unknown" + destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) diff --git a/istio-telemetry/mixer-telemetry/templates/deployment.yaml b/istio-telemetry/mixer-telemetry/templates/deployment.yaml index 02630a8ce834..ad5356d234f3 100644 --- a/istio-telemetry/mixer-telemetry/templates/deployment.yaml +++ b/istio-telemetry/mixer-telemetry/templates/deployment.yaml @@ -199,6 +199,8 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.podIP + - name: SDS_ENABLED + value: "{{ .Values.global.sds.enabled }}" resources: {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 10 }} diff --git a/istio-telemetry/mixer-telemetry/values.yaml b/istio-telemetry/mixer-telemetry/values.yaml index 6388ee5c1dc9..3ba1c6d07059 100644 --- a/istio-telemetry/mixer-telemetry/values.yaml +++ b/istio-telemetry/mixer-telemetry/values.yaml @@ -1,6 +1,5 @@ mixer: env: - GODEBUG: gctrace=1 # max procs should be ceil(cpu limit + 1) GOMAXPROCS: "6" diff --git a/istio-telemetry/prometheus-operator/values.yaml b/istio-telemetry/prometheus-operator/values.yaml index f295d9074991..14a5c2aada36 100644 --- a/istio-telemetry/prometheus-operator/values.yaml +++ b/istio-telemetry/prometheus-operator/values.yaml @@ -9,7 +9,7 @@ prometheus: # a prometheus resource and/or you desire a distinct prometheus resource for Istio. createPrometheusResource: false hub: docker.io/prom - tag: v2.8.0 + tag: v2.12.0 retention: 6h service: diff --git a/istio-telemetry/prometheus/values.yaml b/istio-telemetry/prometheus/values.yaml index 8f7a975c6975..cf58749f28df 100644 --- a/istio-telemetry/prometheus/values.yaml +++ b/istio-telemetry/prometheus/values.yaml @@ -3,7 +3,7 @@ prometheus: replicaCount: 1 hub: docker.io/prom image: prometheus - tag: v2.8.0 + tag: v2.12.0 retention: 6h # Controls the frequency of prometheus scraping diff --git a/security/certmanager/values.yaml b/security/certmanager/values.yaml index 8ecb976c1d7f..7a1c931701f7 100644 --- a/security/certmanager/values.yaml +++ b/security/certmanager/values.yaml @@ -8,7 +8,7 @@ certmanager: replicaCount: 1 hub: quay.io/jetstack image: cert-manager-controller - tag: v0.6.2 + tag: v0.8.1 resources: {} nodeSelector: {} tolerations: [] diff --git a/test/canary/values.yaml b/test/canary/values.yaml index 24a6af849004..119f4e78e699 100644 --- a/test/canary/values.yaml +++ b/test/canary/values.yaml @@ -9,8 +9,8 @@ debug: INFO version: "" global: - hub: gcr.io/istio-release - tag: master-latest-daily + hub: gcr.io/istio-testing + tag: latest imagePullPolicy: Always @@ -57,5 +57,5 @@ global: proxy_init: - image: proxy_init + image: proxyv2 diff --git a/test/simple/values.yaml b/test/simple/values.yaml index 6f07c99ce936..f50552c253d7 100644 --- a/test/simple/values.yaml +++ b/test/simple/values.yaml @@ -10,8 +10,8 @@ debug: INFO version: "" global: - hub: gcr.io/istio-release - tag: master-latest-daily + hub: gcr.io/istio-testing + tag: latest imagePullPolicy: Always @@ -58,5 +58,5 @@ global: proxy_init: - image: proxy_init + image: proxyv2