diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000..3f62f69 Binary files /dev/null and b/.DS_Store differ diff --git a/gateway.yaml b/gateway.yaml deleted file mode 100644 index 15326d4..0000000 --- a/gateway.yaml +++ /dev/null @@ -1,516 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - sidecar.istio.io/status: '{"version":"b5faac9e6b02231b7db3b29487392a395f1c85c746bf62dc8cb660444af6e0d9","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' - creationTimestamp: null - labels: - expose: "true" - security.istio.io/tlsMode: istio - server: http - name: "a" - name: server-a -spec: - containers: - - image: beppev/server-a:latest - name: front-end - ports: - - containerPort: 5000 - resources: {} - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --configPath - - /etc/istio/proxy - - --binaryPath - - /usr/local/bin/envoy - - --serviceCluster - - server-a.default - - --drainDuration - - 45s - - --parentShutdownDuration - - 1m0s - - --discoveryAddress - - istio-pilot.istio-system:15011 - - --zipkinAddress - - zipkin.istio-system:9411 - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --connectTimeout - - 10s - - --proxyAdminPort - - "15000" - - --concurrency - - "2" - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --dnsRefreshRate - - 300s - - --statusPort - - "15020" - - --applicationPorts - - "5000" - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":5000} - ] - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SDS_ENABLED - value: "false" - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_INCLUDE_INBOUND_PORTS - value: "5000" - - name: ISTIO_METAJSON_LABELS - value: | - {"expose":"true","server":"http"} - - name: ISTIO_META_WORKLOAD_NAME - value: server-a - - name: ISTIO_META_OWNER - value: kubernetes://apis/v1/namespaces/default/pods/server-a - - name: ISTIO_META_MESH_ID - value: cluster.local - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: 1 - periodSeconds: 2 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - initContainers: - - command: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - "15020" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-certs - secret: - optional: true - secretName: istio.default -status: {} ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - sidecar.istio.io/status: '{"version":"b5faac9e6b02231b7db3b29487392a395f1c85c746bf62dc8cb660444af6e0d9","initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}' - creationTimestamp: null - labels: - security.istio.io/tlsMode: istio - server: http - name: "b" - name: server-b -spec: - containers: - - image: beppev/server-b:latest - name: front-end - ports: - - containerPort: 6000 - resources: {} - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --configPath - - /etc/istio/proxy - - --binaryPath - - /usr/local/bin/envoy - - --serviceCluster - - server-b.default - - --drainDuration - - 45s - - --parentShutdownDuration - - 1m0s - - --discoveryAddress - - istio-pilot.istio-system:15011 - - --zipkinAddress - - zipkin.istio-system:9411 - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --connectTimeout - - 10s - - --proxyAdminPort - - "15000" - - --concurrency - - "2" - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --dnsRefreshRate - - 300s - - --statusPort - - "15020" - - --applicationPorts - - "6000" - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":6000} - ] - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SDS_ENABLED - value: "false" - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_INCLUDE_INBOUND_PORTS - value: "6000" - - name: ISTIO_METAJSON_LABELS - value: | - {"server":"http"} - - name: ISTIO_META_WORKLOAD_NAME - value: server-b - - name: ISTIO_META_OWNER - value: kubernetes://apis/v1/namespaces/default/pods/server-b - - name: ISTIO_META_MESH_ID - value: cluster.local - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: 1 - periodSeconds: 2 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - initContainers: - - command: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - "15020" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-certs - secret: - optional: true - secretName: istio.default -status: {} ---- -kind: Service -apiVersion: v1 -metadata: - name: server-a-service -spec: - selector: - name: "a" - ports: - - name: http - protocol: TCP - port: 5000 - - name: sb - protocol: TCP - port: 6000 ---- -kind: Service -apiVersion: v1 -metadata: - name: server-b-service -spec: - selector: - name: "b" - ports: - - name: http - protocol: TCP - port: 6000 - ---- -kind: VirtualService -apiVersion: networking.istio.io/v1alpha3 -metadata: - name: link-servers -spec: - hosts: - - server-a-service - http: - - match: - - headers: - end-user: - exact: jason - route: - - destination: - host: server-b-service - - route: - - destination: - host: server-b-service - - - - -#kind: Service -#apiVersion: v1 -#metadata: -# name: server-a-service -#spec: -# selector: -# server: "http" -# ports: -# - name: http -# protocol: TCP -# port: 6000 ---- -kind: Service -apiVersion: v1 -metadata: - name: expose-server -spec: - type: NodePort - selector: - expose: "true" - ports: - - name: http - protocol: TCP - targetPort: 5000 - port: 5000 - nodePort: 30036 -#--- -#apiVersion: networking.istio.io/v1alpha3 -#kind: VirtualService -#metadata: -# name: virtual-service -#spec: -# host: -# - expose-server -# http: -# - match: -# - headers: -# end-user: -# exact: jason -# - route: -# - destination: -# host: expose-server -# - route: -# - destination: -# host: expose-server -# ---- -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: ext-host-gwy -spec: - selector: - expose: "true" - servers: - - port: - number: 5000 - name: http - protocol: HTTP - hosts: - - expose-server.cluster.local - ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: virtual-svc -spec: - hosts: - - '*' - gateways: - - ext-host-gwy - http: - - name: "help" - route: - - destination: - host: expose-server.cluster.local diff --git a/hello/.helmignore b/helm-hello/.helmignore similarity index 100% rename from hello/.helmignore rename to helm-hello/.helmignore diff --git a/hello/Chart.yaml b/helm-hello/Chart.yaml similarity index 100% rename from hello/Chart.yaml rename to helm-hello/Chart.yaml diff --git a/hello/templates.OLD/NOTES.txt b/helm-hello/templates.OLD/NOTES.txt similarity index 100% rename from hello/templates.OLD/NOTES.txt rename to helm-hello/templates.OLD/NOTES.txt diff --git a/hello/templates.OLD/_helpers.tpl b/helm-hello/templates.OLD/_helpers.tpl similarity index 100% rename from hello/templates.OLD/_helpers.tpl rename to helm-hello/templates.OLD/_helpers.tpl diff --git a/hello/templates.OLD/deployment.yaml b/helm-hello/templates.OLD/deployment.yaml similarity index 100% rename from hello/templates.OLD/deployment.yaml rename to helm-hello/templates.OLD/deployment.yaml diff --git a/hello/templates.OLD/ingress.yaml b/helm-hello/templates.OLD/ingress.yaml similarity index 100% rename from hello/templates.OLD/ingress.yaml rename to helm-hello/templates.OLD/ingress.yaml diff --git a/hello/templates.OLD/service.yaml b/helm-hello/templates.OLD/service.yaml similarity index 100% rename from hello/templates.OLD/service.yaml rename to helm-hello/templates.OLD/service.yaml diff --git a/hello/templates.OLD/serviceaccount.yaml b/helm-hello/templates.OLD/serviceaccount.yaml similarity index 100% rename from hello/templates.OLD/serviceaccount.yaml rename to helm-hello/templates.OLD/serviceaccount.yaml diff --git a/hello/templates.OLD/tests/test-connection.yaml b/helm-hello/templates.OLD/tests/test-connection.yaml similarity index 100% rename from hello/templates.OLD/tests/test-connection.yaml rename to helm-hello/templates.OLD/tests/test-connection.yaml diff --git a/hello/templates/pod-server-a.yaml b/helm-hello/templates/pod-server-a.yaml similarity index 100% rename from hello/templates/pod-server-a.yaml rename to helm-hello/templates/pod-server-a.yaml diff --git a/hello/templates/pod-server-b.yaml b/helm-hello/templates/pod-server-b.yaml similarity index 100% rename from hello/templates/pod-server-b.yaml rename to helm-hello/templates/pod-server-b.yaml diff --git a/hello/templates/service-expose.yaml b/helm-hello/templates/service-expose.yaml similarity index 100% rename from hello/templates/service-expose.yaml rename to helm-hello/templates/service-expose.yaml diff --git a/hello/templates/service.yaml b/helm-hello/templates/service.yaml similarity index 100% rename from hello/templates/service.yaml rename to helm-hello/templates/service.yaml diff --git a/hello/values.yaml b/helm-hello/values.yaml similarity index 100% rename from hello/values.yaml rename to helm-hello/values.yaml diff --git a/istioctl-config-demo.yaml b/istioctl-config-demo.yaml deleted file mode 100644 index 9b2c5e4..0000000 --- a/istioctl-config-demo.yaml +++ /dev/null @@ -1,25246 +0,0 @@ -# Resources for Base component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -rules: -- apiGroups: - - "config.istio.io" - - "rbac.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-istio-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: attributemanifests.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: attributemanifest - plural: attributemanifests - singular: attributemanifest - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - attributes: - additionalProperties: - properties: - description: - description: A human-readable description of the attribute's purpose. - format: string - type: string - valueType: - description: The type of data carried by this attribute. - enum: - - VALUE_TYPE_UNSPECIFIED - - STRING - - INT64 - - DOUBLE - - BOOL - - TIMESTAMP - - IP_ADDRESS - - EMAIL_ADDRESS - - URI - - DNS_NAME - - DURATION - - STRING_MAP - type: string - type: object - description: The set of attributes this Istio component will be responsible - for producing at runtime. - type: object - name: - description: Name of the component producing these attributes. - format: string - type: string - revision: - description: The revision of this document. - format: string - type: string - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - heritage: Tiller - istio: rbac - release: istio - name: clusterrbacconfigs.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ClusterRbacConfig - plural: clusterrbacconfigs - singular: clusterrbacconfig - scope: Cluster - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for Role Based Access Control. See more details - at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' - properties: - enforcementMode: - enum: - - ENFORCED - - PERMISSIVE - type: string - exclusion: - description: A list of services or namespaces that should not be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - inclusion: - description: A list of services or namespaces that should be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - mode: - description: Istio RBAC mode. - enum: - - "OFF" - - "ON" - - ON_WITH_INCLUSION - - ON_WITH_EXCLUSION - type: string - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutiveErrors: - format: int32 - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a - backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP - upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on - the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutiveErrors: - format: int32 - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to - the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to - a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutiveErrors: - format: int32 - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutiveErrors: - format: int32 - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more - details at: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was - generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - format: string - type: string - subFilter: - properties: - name: - description: The filter name to match on. - format: string - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - format: string - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - format: string - type: string - transportProtocol: - description: Applies only to SIDECAR_INBOUND context. - format: string - type: string - type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - format: string - type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: - properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - format: string - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - filters: - items: - properties: - filterConfig: - type: object - filterName: - description: The name of the filter to instantiate. - format: string - type: string - filterType: - description: The type of filter to instantiate. - enum: - - INVALID - - HTTP - - NETWORK - type: string - insertPosition: - description: Insert position in the filter chain. - properties: - index: - description: Position of this filter in the filter chain. - enum: - - FIRST - - LAST - - BEFORE - - AFTER - type: string - relativeTo: - format: string - type: string - type: object - listenerMatch: - properties: - address: - description: One or more IP addresses to which the listener - is bound. - items: - format: string - type: string - type: array - listenerProtocol: - description: Selects a class of listeners for the same protocol. - enum: - - ALL - - HTTP - - TCP - type: string - listenerType: - description: Inbound vs outbound sidecar listener or gateway - listener. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - portNamePrefix: - format: string - type: string - portNumber: - type: integer - type: object - type: object - type: array - workloadLabels: - additionalProperties: - format: string - type: string - description: Deprecated. - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpecBinding - plural: httpapispecbindings - singular: httpapispecbinding - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - api_specs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - apiSpecs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed HTTPAPISpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpec - plural: httpapispecs - singular: httpapispec - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - api_keys: - items: - oneOf: - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - apiKeys: - items: - oneOf: - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - patterns: - description: List of HTTP patterns to match. - items: - oneOf: - - required: - - uriTemplate - - required: - - regex - properties: - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - httpMethod: - format: string - type: string - regex: - format: string - type: string - uriTemplate: - format: string - type: string - type: object - type: array - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-citadel - chart: istio - heritage: Tiller - release: istio - name: meshpolicies.authentication.istio.io -spec: - group: authentication.istio.io - names: - categories: - - istio-io - - authentication-istio-io - kind: MeshPolicy - listKind: MeshPolicyList - plural: meshpolicies - singular: meshpolicy - scope: Cluster - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Authentication policy for Istio services. See more details - at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' - properties: - originIsOptional: - type: boolean - origins: - description: List of authentication methods that can be used for origin - authentication. - items: - properties: - jwt: - description: Jwt params for the method. - properties: - audiences: - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - jwt_headers: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtHeaders: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtParams: - description: JWT is sent in a query parameter. - items: - format: string - type: string - type: array - trigger_rules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - triggerRules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - type: object - type: object - type: array - peerIsOptional: - type: boolean - peers: - description: List of authentication methods that can be used for peer - authentication. - items: - oneOf: - - required: - - mtls - - required: - - jwt - properties: - jwt: - properties: - audiences: - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - jwt_headers: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtHeaders: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtParams: - description: JWT is sent in a query parameter. - items: - format: string - type: string - type: array - trigger_rules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - triggerRules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - type: object - mtls: - description: Set if mTLS is used. - properties: - allowTls: - description: WILL BE DEPRECATED, if set, will translates to - `TLS_PERMISSIVE` mode. - type: boolean - mode: - description: Defines the mode of mTLS authentication. - enum: - - STRICT - - PERMISSIVE - type: string - type: object - type: object - type: array - principalBinding: - description: Define whether peer or origin identity should be use for - principal. - enum: - - USE_PEER - - USE_ORIGIN - type: string - targets: - description: List rules to select workloads that the policy should be - applied on. - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: The name must be a short name from the service registry. - format: string - type: string - ports: - description: Specifies the ports. - items: - oneOf: - - required: - - number - - required: - - name - properties: - name: - format: string - type: string - number: - type: integer - type: object - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-citadel - chart: istio - heritage: Tiller - release: istio - name: policies.authentication.istio.io -spec: - group: authentication.istio.io - names: - categories: - - istio-io - - authentication-istio-io - kind: Policy - plural: policies - singular: policy - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Authentication policy for Istio services. See more details - at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' - properties: - originIsOptional: - type: boolean - origins: - description: List of authentication methods that can be used for origin - authentication. - items: - properties: - jwt: - description: Jwt params for the method. - properties: - audiences: - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - jwt_headers: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtHeaders: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtParams: - description: JWT is sent in a query parameter. - items: - format: string - type: string - type: array - trigger_rules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - triggerRules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - type: object - type: object - type: array - peerIsOptional: - type: boolean - peers: - description: List of authentication methods that can be used for peer - authentication. - items: - oneOf: - - required: - - mtls - - required: - - jwt - properties: - jwt: - properties: - audiences: - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - jwt_headers: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtHeaders: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtParams: - description: JWT is sent in a query parameter. - items: - format: string - type: string - type: array - trigger_rules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - triggerRules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - type: object - mtls: - description: Set if mTLS is used. - properties: - allowTls: - description: WILL BE DEPRECATED, if set, will translates to - `TLS_PERMISSIVE` mode. - type: boolean - mode: - description: Defines the mode of mTLS authentication. - enum: - - STRICT - - PERMISSIVE - type: string - type: object - type: object - type: array - principalBinding: - description: Define whether peer or origin identity should be use for - principal. - enum: - - USE_PEER - - USE_ORIGIN - type: string - targets: - description: List rules to select workloads that the policy should be - applied on. - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: The name must be a short name from the service registry. - format: string - type: string - ports: - description: Specifies the ports. - items: - oneOf: - - required: - - number - - required: - - name - properties: - name: - format: string - type: string - number: - type: integer - type: object - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpecBinding - plural: quotaspecbindings - singular: quotaspecbinding - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - quotaSpecs: - items: - properties: - name: - description: The short name of the QuotaSpec. - format: string - type: string - namespace: - description: Optional namespace of the QuotaSpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed QuotaSpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpec - plural: quotaspecs - singular: quotaspec - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: Determines the quotas used for individual requests. - properties: - rules: - description: A list of Quota rules. - items: - properties: - match: - description: If empty, match all request. - items: - properties: - clause: - additionalProperties: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - description: Map of attribute names to StringMatch type. - type: object - type: object - type: array - quotas: - description: The list of quotas to charge. - items: - properties: - charge: - format: int32 - type: integer - quota: - format: string - type: string - type: object - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: rbacconfigs.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: RbacConfig - plural: rbacconfigs - singular: rbacconfig - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for Role Based Access Control. See more details - at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' - properties: - enforcementMode: - enum: - - ENFORCED - - PERMISSIVE - type: string - exclusion: - description: A list of services or namespaces that should not be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - inclusion: - description: A list of services or namespaces that should be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - mode: - description: Istio RBAC mode. - enum: - - "OFF" - - "ON" - - ON_WITH_INCLUSION - - ON_WITH_EXCLUSION - type: string - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: rules.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: rule - plural: rules - singular: rule - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - actions: - description: The actions that will be executed when match evaluates - to `true`. - items: - properties: - handler: - description: Fully qualified name of the handler to invoke. - format: string - type: string - instances: - items: - format: string - type: string - type: array - name: - description: A handle to refer to the results of the action. - format: string - type: string - type: object - type: array - match: - description: Match is an attribute based predicate. - format: string - type: string - requestHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - responseHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - sampling: - properties: - random: - description: Provides filtering of actions based on random selection - per request. - properties: - attributeExpression: - description: Specifies an attribute expression to use to override - the numerator in the `percent_sampled` field. - format: string - type: string - percentSampled: - description: The default sampling rate, expressed as a percentage. - properties: - denominator: - description: Specifies the denominator. - enum: - - HUNDRED - - TEN_THOUSAND - type: string - numerator: - description: Specifies the numerator. - type: integer - type: object - useIndependentRandomness: - description: By default sampling will be based on the value - of the request header `x-request-id`. - type: boolean - type: object - rateLimit: - properties: - maxUnsampledEntries: - description: Number of entries to allow during the `sampling_duration` - before sampling is enforced. - format: int64 - type: integer - samplingDuration: - description: Window in which to enforce the sampling rate. - type: string - samplingRate: - description: The rate at which to sample entries once the unsampled - limit has been reached. - format: int64 - type: integer - type: object - type: object - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL - or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: servicerolebindings.rbac.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.roleRef.name - description: The name of the ServiceRole object being referenced - name: Reference - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ServiceRoleBinding - plural: servicerolebindings - singular: servicerolebinding - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for Role Based Access Control. See more details - at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' - properties: - actions: - items: - properties: - constraints: - description: Optional. - items: - properties: - key: - description: Key of the constraint. - format: string - type: string - values: - description: List of valid values for the constraint. - items: - format: string - type: string - type: array - type: object - type: array - hosts: - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - items: - format: string - type: string - type: array - notMethods: - items: - format: string - type: string - type: array - notPaths: - items: - format: string - type: string - type: array - notPorts: - items: - format: int32 - type: integer - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - items: - format: int32 - type: integer - type: array - services: - description: A list of service names. - items: - format: string - type: string - type: array - type: object - type: array - mode: - enum: - - ENFORCED - - PERMISSIVE - type: string - role: - format: string - type: string - roleRef: - description: Reference to the ServiceRole object. - properties: - kind: - description: The type of the role being referenced. - format: string - type: string - name: - description: The name of the ServiceRole object being referenced. - format: string - type: string - type: object - subjects: - description: List of subjects that are assigned the ServiceRole object. - items: - properties: - group: - format: string - type: string - groups: - items: - format: string - type: string - type: array - ips: - items: - format: string - type: string - type: array - names: - items: - format: string - type: string - type: array - namespaces: - items: - format: string - type: string - type: array - notGroups: - items: - format: string - type: string - type: array - notIps: - items: - format: string - type: string - type: array - notNames: - items: - format: string - type: string - type: array - notNamespaces: - items: - format: string - type: string - type: array - properties: - additionalProperties: - format: string - type: string - description: Optional. - type: object - user: - description: Optional. - format: string - type: string - type: object - type: array - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: serviceroles.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ServiceRole - plural: serviceroles - singular: servicerole - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for Role Based Access Control. See more details - at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' - properties: - rules: - description: The set of access rules (permissions) that the role has. - items: - properties: - constraints: - description: Optional. - items: - properties: - key: - description: Key of the constraint. - format: string - type: string - values: - description: List of valid values for the constraint. - items: - format: string - type: string - type: array - type: object - type: array - hosts: - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - items: - format: string - type: string - type: array - notMethods: - items: - format: string - type: string - type: array - notPaths: - items: - format: string - type: string - type: array - notPorts: - items: - format: int32 - type: integer - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - items: - format: int32 - type: integer - type: array - services: - description: A list of service names. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these - routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - appendHeaders: - additionalProperties: - format: string - type: string - type: object - appendRequestHeaders: - additionalProperties: - format: string - type: string - type: object - appendResponseHeaders: - additionalProperties: - format: string - type: string - type: object - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at - the client side. - properties: - abort: - oneOf: - - properties: - percent: {} - required: - - httpStatus - - properties: - percent: {} - required: - - grpcStatus - - properties: - percent: {} - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percent: - description: Percentage of requests to be aborted with - the error code provided (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - properties: - percent: {} - required: - - fixedDelay - - properties: - percent: {} - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - gateways: - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should - be case-insensitive. - type: boolean - method: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - uri: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A http rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - removeRequestHeaders: - items: - format: string - type: string - type: array - removeResponseHeaders: - items: - format: string - type: string - type: array - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per retry attempt for a given request. - type: string - retryOn: - description: Specifies the conditions under which retry takes - place. - format: string - type: string - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A http rule can either redirect or forward (default) - traffic. - items: - properties: - appendRequestHeaders: - additionalProperties: - format: string - type: string - description: Use of `append_request_headers` is deprecated. - type: object - appendResponseHeaders: - additionalProperties: - format: string - type: string - description: Use of `append_response_headers` is deprecated. - type: object - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - removeRequestHeaders: - description: Use of `remove_request_headers` is deprecated. - items: - format: string - type: string - type: array - removeResponseHeaders: - description: Use of `remove_response_header` is deprecated. - items: - format: string - type: string - type: array - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests. - type: string - websocketUpgrade: - description: Deprecated. - type: boolean - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied to. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied to. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: adapters.config.istio.io - labels: - app: mixer - package: adapter - istio: mixer-adapter - chart: istio - heritage: Tiller - release: istio -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: instances.config.istio.io - labels: - app: mixer - package: instance - istio: mixer-instance - chart: istio - heritage: Tiller - release: istio -spec: - group: config.istio.io - names: - kind: instance - plural: instances - singular: instance - categories: - - istio-io - - policy-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: templates.config.istio.io - labels: - app: mixer - package: template - istio: mixer-template - chart: istio - heritage: Tiller - release: istio -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: handlers.config.istio.io - labels: - app: mixer - package: handler - istio: mixer-handler - chart: istio - heritage: Tiller - release: istio -spec: - group: config.istio.io - names: - kind: handler - plural: handlers - singular: handler - categories: - - istio-io - - policy-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - plural: sidecars - singular: sidecar - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The ip to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - type: object - type: object - type: array - outboundTrafficPolicy: - description: This allows to configure the outbound traffic policy. - properties: - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details - at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html' - properties: - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - values: - description: The allowed values for the attribute. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - type: object - versions: - - name: v1beta1 - served: true - storage: true ---- - - -apiVersion: v1 -kind: Namespace -metadata: - name: istio-system - labels: - istio-operator-managed: Reconcile - istio-injection: disabled ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-reader-service-account - namespace: istio-system - labels: - app: istio-reader - release: istio ---- - -# CertManager component is disabled. - -# Resources for Citadel component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-citadel-istio-system - labels: - app: citadel - release: istio -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "update"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "get", "watch", "list", "update", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts", "services", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-citadel-istio-system - labels: - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-citadel-istio-system -subjects: - - kind: ServiceAccount - name: istio-citadel-service-account - namespace: istio-system ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: security - istio: citadel - release: istio - name: istio-citadel - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: citadel - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: citadel - istio: citadel - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - --append-dns-names=true - - --grpc-port=8060 - - --citadel-storage-namespace=istio-system - - --custom-dns-names=istio-galley-service-account.istio-config:istio-galley.istio-config.svc,istio-galley-service-account.istio-control:istio-galley.istio-control.svc,istio-galley-service-account.istio-control-master:istio-galley.istio-control-master.svc,istio-galley-service-account.istio-master:istio-galley.istio-master.svc,istio-galley-service-account.istio-pilot11:istio-galley.istio-pilot11.svc,istio-pilot-service-account.istio-control:istio-pilot.istio-control,istio-pilot-service-account.istio-pilot11:istio-pilot.istio-system,istio-sidecar-injector-service-account.istio-control:istio-sidecar-injector.istio-control.svc,istio-sidecar-injector-service-account.istio-control-master:istio-sidecar-injector.istio-control-master.svc,istio-sidecar-injector-service-account.istio-master:istio-sidecar-injector.istio-master.svc,istio-sidecar-injector-service-account.istio-pilot11:istio-sidecar-injector.istio-pilot11.svc,istio-sidecar-injector-service-account.istio-remote:istio-sidecar-injector.istio-remote.svc, - - --self-signed-ca=true - - --trust-domain=cluster.local - - --workload-cert-ttl=2160h - env: - - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT - value: "true" - image: docker.io/istio/citadel:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /version - port: 15014 - initialDelaySeconds: 5 - periodSeconds: 5 - name: citadel - resources: - requests: - cpu: 10m - serviceAccountName: istio-citadel-service-account - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-citadel - namespace: istio-system - labels: - app: security - istio: citadel - release: istio -spec: - minAvailable: 1 - selector: - matchLabels: - app: citadel - istio: citadel ---- - - -apiVersion: v1 -kind: Service -metadata: - # Must match the certificate, this is used in the node agent in same namespace. - name: istio-citadel - namespace: istio-system - labels: - app: security - istio: citadel - release: istio - -spec: - ports: - - name: grpc-citadel - port: 8060 - targetPort: 8060 - protocol: TCP - - name: http-monitoring - port: 15014 - selector: - app: citadel ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-citadel-service-account - namespace: istio-system - labels: - app: security - release: istio ---- - -# Cni component is disabled. - -# CoreDNS component is disabled. - -# Resources for EgressGateway component - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istio-egressgateway - istio: egressgateway - release: istio - name: istio-egressgateway - namespace: istio-system -spec: - selector: - matchLabels: - app: istio-egressgateway - istio: egressgateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: istio-egressgateway - chart: gateways - heritage: Tiller - istio: egressgateway - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --drainDuration - - 45s - - --parentShutdownDuration - - 1m0s - - --connectTimeout - - 10s - - --serviceCluster - - istio-egressgateway - - --zipkinAddress - - zipkin.istio-system:9411 - - --proxyAdminPort - - "15000" - - --statusPort - - "15020" - - --controlPlaneAuthPolicy - - NONE - - --discoveryAddress - - istio-pilot.istio-system:15010 - - --trust-domain=cluster.local - env: - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-egressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-egressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_META_ROUTER_MODE - value: sni-dnat - - name: ISTIO_METAJSON_LABELS - value: | - {"app":"istio-egressgateway","istio":"egressgateway"} - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: SDS_ENABLED - value: "false" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 80 - - containerPort: 443 - - containerPort: 15443 - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 10m - memory: 40Mi - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /etc/istio/egressgateway-certs - name: egressgateway-certs - readOnly: true - - mountPath: /etc/istio/egressgateway-ca-certs - name: egressgateway-ca-certs - readOnly: true - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.default - - name: egressgateway-certs - secret: - optional: true - secretName: istio-egressgateway-certs - - name: egressgateway-ca-certs - secret: - optional: true - secretName: istio-egressgateway-ca-certs - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-egressgateway - namespace: istio-system - labels: - app: istio-egressgateway - istio: egressgateway - release: istio -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-egressgateway - istio: egressgateway - release: istio ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-multicluster-egressgateway - namespace: istio-system - labels: - app: istio-egressgateway - release: istio -spec: - selector: - istio: egressgateway - servers: - - hosts: - - "*.global" - port: - name: tls - number: 15443 - protocol: TLS - tls: {} ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: istio-multicluster-egressgateway - namespace: istio-system - labels: - app: istio-egressgateway - release: istio -spec: - gateways: - - istio-multicluster-egressgateway - hosts: - - "*.global" - tls: - - match: - - port: 15443 - sniHosts: - - "*.global" - route: - - destination: - host: non.existent.cluster - port: - number: 15443 - weight: 100 ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: istio-multicluster-egressgateway - namespace: istio-system - labels: - app: istio-egressgateway - release: istio -spec: - workloadLabels: - istio: egressgateway - filters: - - listenerMatch: - portNumber: 15443 - listenerType: GATEWAY - filterName: envoy.filters.network.sni_cluster - filterType: NETWORK - filterConfig: {} ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-multicluster-egressgateway - namespace: istio-system - labels: - app: istio-egressgateway - release: istio -spec: - host: "*.global" - trafficPolicy: - tls: - mode: ISTIO_MUTUAL ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-egressgateway - namespace: istio-system - annotations: - labels: - app: istio-egressgateway - release: istio - istio: egressgateway -spec: - type: ClusterIP - selector: - app: istio-egressgateway - ports: - - - name: http2 - port: 80 - - - name: https - port: 443 - - - name: tls - port: 15443 - targetPort: 15443 ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istio-egressgateway-sds - namespace: istio-system -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-egressgateway-sds - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-egressgateway-sds -subjects: -- kind: ServiceAccount - name: istio-egressgateway-service-account ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-egressgateway-service-account - namespace: istio-system - labels: - app: istio-egressgateway - release: istio ---- - -# Resources for Galley component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-galley-istio-system - labels: - release: istio -rules: - # For reading Istio resources - - apiGroups: [ - "authentication.istio.io", - "config.istio.io", - "networking.istio.io", - "rbac.istio.io", - "security.istio.io"] - resources: ["*"] - verbs: ["get", "list", "watch"] - # For updating Istio resource statuses - - apiGroups: [ - "authentication.istio.io", - "config.istio.io", - "networking.istio.io", - "rbac.istio.io", - "security.istio.io"] - resources: ["*/status"] - verbs: ["update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["*"] - - apiGroups: ["extensions","apps"] - resources: ["deployments"] - resourceNames: ["istio-galley"] - verbs: ["get"] - - apiGroups: [""] - resources: ["pods", "nodes", "services", "endpoints", "namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["namespaces/finalizers"] - verbs: ["update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["get", "list", "watch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-galley-admin-role-binding-istio-system - labels: - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-galley-istio-system -subjects: - - kind: ServiceAccount - name: istio-galley-service-account - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-mesh-galley - namespace: istio-system - labels: - release: istio -data: - mesh: |- - {} ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-galley-configuration - namespace: istio-system - labels: - release: istio -data: - validatingwebhookconfiguration.yaml: |- - apiVersion: admissionregistration.k8s.io/v1beta1 - kind: ValidatingWebhookConfiguration - metadata: - name: istio-galley-istio-system - namespace: istio-system - labels: - app: galley - release: istio - istio: galley - webhooks: - - name: pilot.validation.istio.io - clientConfig: - service: - name: istio-galley - namespace: istio-system - path: "/admitpilot" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - apiVersions: - - v1alpha2 - resources: - - httpapispecs - - httpapispecbindings - - quotaspecs - - quotaspecbindings - - operations: - - CREATE - - UPDATE - apiGroups: - - rbac.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - authentication.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - networking.istio.io - apiVersions: - - "*" - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - failurePolicy: Fail - sideEffects: None - - name: mixer.validation.istio.io - clientConfig: - service: - name: istio-galley - namespace: istio-system - path: "/admitmixer" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - apiVersions: - - v1alpha2 - resources: - - rules - - attributemanifests - - circonuses - - deniers - - fluentds - - kubernetesenvs - - listcheckers - - memquotas - - noops - - opas - - prometheuses - - rbacs - - solarwindses - - stackdrivers - - cloudwatches - - dogstatsds - - statsds - - stdios - - apikeys - - authorizations - - checknothings - # - kuberneteses - - listentries - - logentries - - metrics - - quotas - - reportnothings - - tracespans - - adapters - - handlers - - instances - - templates - - zipkins - failurePolicy: Fail - sideEffects: None ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: galley - istio: galley - release: istio - name: istio-galley - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: galley - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: galley - chart: galley - heritage: Tiller - istio: galley - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - command: - - /usr/local/bin/galley - - server - - --meshConfigFile=/etc/mesh-config/mesh - - --livenessProbeInterval=1s - - --livenessProbePath=/tmp/healthliveness - - --readinessProbePath=/tmp/healthready - - --readinessProbeInterval=1s - - --insecure=true - - --enable-validation=true - - --enable-reconcileWebhookConfiguration=true - - --enable-server=true - - --deployment-namespace=istio-system - - --validation-webhook-config-file - - /etc/config/validatingwebhookconfiguration.yaml - - --monitoringPort=15014 - - --validation-port=9443 - - --log_output_level=default:info - image: docker.io/istio/galley:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /usr/local/bin/galley - - probe - - --probe-path=/tmp/healthliveness - - --interval=10s - initialDelaySeconds: 5 - periodSeconds: 5 - name: galley - ports: - - containerPort: 9443 - - containerPort: 15014 - - containerPort: 15019 - - containerPort: 9901 - readinessProbe: - exec: - command: - - /usr/local/bin/galley - - probe - - --probe-path=/tmp/healthready - - --interval=10s - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - requests: - cpu: 100m - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /etc/config - name: config - readOnly: true - - mountPath: /etc/mesh-config - name: mesh-config - readOnly: true - serviceAccountName: istio-galley-service-account - volumes: - - name: istio-certs - secret: - secretName: istio.istio-galley-service-account - - configMap: - name: istio-galley-configuration - name: config - - configMap: - name: istio-mesh-galley - name: mesh-config - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-galley - namespace: istio-system - labels: - app: galley - release: istio - istio: galley -spec: - minAvailable: 1 - selector: - matchLabels: - app: galley - release: istio - istio: galley ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-galley - namespace: istio-system - labels: - app: galley - istio: galley - release: istio -spec: - ports: - - port: 443 - name: https-validation - targetPort: 9443 - - port: 15014 - name: http-monitoring - - port: 9901 - name: grpc-mcp - - port: 15019 - name: grpc-tls-mcp - selector: - istio: galley ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-galley-service-account - namespace: istio-system - labels: - app: galley - release: istio ---- - -# Resources for Grafana component - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-citadel-dashboard - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - citadel-dashboard.json: '{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "description": "", - "editable": true, - "gnetId": null, - "graphTooltip": 0, - "links": [], - "panels": [ - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 8, - "panels": [], - "title": "Performance", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "CPU usage across Citadel instances.", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 1 - }, - "id": 10, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"citadel\", pod_name=~\"istio-citadel-.*\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Citadel CPU usage rate", - "refId": "A" - }, - { - "expr": "irate(process_cpu_seconds_total{job=\"citadel\"}[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Citadel CPU usage irate", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Citadel process memory statistics.", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 1 - }, - "id": 12, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Virtual Memory", - "refId": "A" - }, - { - "expr": "process_resident_memory_bytes{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Resident Memory", - "refId": "B" - }, - { - "expr": "go_memstats_heap_sys_bytes{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Heap Memory Total", - "refId": "C" - }, - { - "expr": "go_memstats_alloc_bytes{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Heap Memory Allocated", - "refId": "E" - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Heap Inuse", - "refId": "F" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 1 - }, - "id": 14, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Goroutines", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 7 - }, - "id": 28, - "panels": [], - "title": "General", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Total number of CSR requests made to Citadel.", - "fill": 1, - "gridPos": { - "h": 5, - "w": 12, - "x": 0, - "y": 8 - }, - "id": 30, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "citadel_server_csr_count{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "CSR Request Count", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CSR Requests", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "The number of certificates issuances that have succeeded.", - "fill": 1, - "gridPos": { - "h": 5, - "w": 12, - "x": 12, - "y": 8 - }, - "id": 32, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "citadel_server_success_cert_issuance_count{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Certificates Issued", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Certificates Issued", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 13 - }, - "id": 23, - "panels": [], - "title": "Errors", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "The number of errors occurred when creating the CSR.", - "fill": 1, - "gridPos": { - "h": 5, - "w": 8, - "x": 0, - "y": 14 - }, - "id": 20, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "citadel_secret_controller_csr_err_count{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "CSR Creation Error Count", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CSR Creation Errors", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 5, - "w": 8, - "x": 8, - "y": 14 - }, - "id": 24, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "citadel_server_csr_parsing_err_count{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "CSR Parse Error Count", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CSR Parse Errors", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "The number of authentication failures.", - "fill": 1, - "gridPos": { - "h": 5, - "w": 8, - "x": 16, - "y": 14 - }, - "id": 26, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "citadel_server_authentication_failure_count{job=\"citadel\"}\t", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Authentication Failure Count", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Authentication Failures", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 19 - }, - "id": 4, - "panels": [], - "title": "Secret Controller", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "The number of certificates created due to service account creation.", - "fill": 1, - "gridPos": { - "h": 5, - "w": 8, - "x": 0, - "y": 20 - }, - "id": 2, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": true, - "targets": [ - { - "expr": "citadel_secret_controller_svc_acc_created_cert_count{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "SA Secrets Created", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Service Account Secrets Created (due to SA creation)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": "Certs Created", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "The number of certificates deleted due to service account deletion.", - "fill": 1, - "gridPos": { - "h": 5, - "w": 8, - "x": 8, - "y": 20 - }, - "id": 16, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": true, - "targets": [ - { - "expr": "citadel_secret_controller_svc_acc_deleted_cert_count{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "SA Secrets Deleted", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Service Account Secrets Deleted (due to SA deletion)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": "Certs Created", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "The number of certificates recreated due to secret deletion (service account still exists).", - "fill": 1, - "gridPos": { - "h": 5, - "w": 8, - "x": 16, - "y": 20 - }, - "id": 6, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": true, - "targets": [ - { - "expr": "citadel_secret_controller_secret_deleted_cert_count{job=\"citadel\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "SA Secrets Recreated", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Service Account Secrets Recreated (due to errant deletion)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": "Certs Created", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 18, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Citadel Dashboard", - "uid": "OOyOqb4Wz", - "version": 1 -}' ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-galley-dashboard - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - galley-dashboard.json: '{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "links": [], - "panels": [ - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 5, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 46, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build{component=\"galley\"}) by (tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Galley Versions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 5 - }, - "id": 40, - "panels": [], - "title": "Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 6, - "x": 0, - "y": 6 - }, - "id": 36, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Virtual Memory", - "refId": "A" - }, - { - "expr": "process_resident_memory_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory", - "refId": "B" - }, - { - "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "heap sys", - "refId": "C" - }, - { - "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "heap alloc", - "refId": "D" - }, - { - "expr": "go_memstats_alloc_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc", - "refId": "F" - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Heap in-use", - "refId": "G" - }, - { - "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use", - "refId": "H" - }, - { - "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Total (kis)", - "refId": "E" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 6, - "x": 6, - "y": 6 - }, - "id": 38, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A" - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B" - }, - { - "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "galley (self-reported)", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 6, - "x": 12, - "y": 6 - }, - "id": 42, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_open_fds{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Open FDs (galley)", - "refId": "A" - }, - { - "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }} ", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 6, - "x": 18, - "y": 6 - }, - "id": 44, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "goroutines_total", - "refId": "A" - }, - { - "expr": "istio_mcp_clients_total{component=\"galley\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "clients_total", - "refId": "B" - }, - { - "expr": "go_goroutines{job=\"galley\"}/sum(istio_mcp_clients_total{component=\"galley\"}) without (component)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "avg_goroutines_per_client", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 14 - }, - "id": 10, - "panels": [], - "title": "Runtime", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 15 - }, - "id": 2, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Strategy Change Events", - "refId": "A" - }, - { - "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Processed Events", - "refId": "B" - }, - { - "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Snapshot Published", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Event Rates", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Events/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 15 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Max Time Reached", - "refId": "A" - }, - { - "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Quiesce Reached", - "refId": "B" - }, - { - "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Timer Resets", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Timer Rates", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Events/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 15 - }, - "id": 8, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 3, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "P50", - "refId": "A" - }, - { - "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "P90", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "P95", - "refId": "C" - }, - { - "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "P99", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Events Per Snapshot", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 21 - }, - "id": 6, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum by (collection) (galley_runtime_state_type_instances_total)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ collection }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "State Type Instances", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Count", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 27 - }, - "id": 34, - "panels": [], - "title": "Validation", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 28 - }, - "id": 28, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "galley_validation_cert_key_updates{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Key Updates", - "refId": "A" - }, - { - "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Key Update Errors: {{ error }}", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Validation Webhook Certificate", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 28 - }, - "id": 30, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", - "refId": "A" - }, - { - "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Resource Validation", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 28 - }, - "id": 32, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ status }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Validation HTTP Errors", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 34 - }, - "id": 12, - "panels": [], - "title": "Kubernetes Source", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 35 - }, - "id": 14, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(galley_source_kube_event_success_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Success", - "refId": "A" - }, - { - "expr": "rate(galley_source_kube_event_error_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Error", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Source Event Rate", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Events/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 35 - }, - "id": 24, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Error", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Kubernetes Object Conversion Failures", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "Failures/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 41 - }, - "id": 18, - "panels": [], - "title": "Mesh Configuration Protocol", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 42 - }, - "id": 20, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_mcp_clients_total{component=\"galley\"})", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Clients", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Connected Clients", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 42 - }, - "id": 22, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum by(collection)(irate(istio_mcp_request_acks_total{component=\"galley\"}[1m]) * 60)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Request ACKs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "ACKs/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 42 - }, - "id": 26, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(istio_mcp_request_nacks_total{component=\"galley\"}[1m]) * 60", - "format": "time_series", - "intervalFactor": 1, - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Request NACKs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "NACKs/min", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 7, - "w": 8, - "x": 0, - "y": 48 - }, - "id": 48, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "dataLinks": [] - }, - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(increase(istio_mcp_message_sizes_bytes_bucket[5m])) by (le)", - "format": "heatmap", - "instant": false, - "intervalFactor": 1, - "legendFormat": "{{le}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Response message sizes", - "tooltip": { - "shared": true, - "sort": 2, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "none", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Galley Dashboard", - "uid": "TSEY6jLmk", - "version": 1 -} -' ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-istio-mesh-dashboard - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - istio-mesh-dashboard.json: '{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "5.2.3" - }, - { - "type": "panel", - "id": "graph", - "name": "Graph", - "version": "5.0.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "singlestat", - "name": "Singlestat", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "table", - "name": "Table", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "text", - "name": "Text", - "version": "5.0.0" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "id": null, - "links": [], - "panels": [ - { - "content": "
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
\n Need help? Join the Istio community.\n
\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 0 - }, - "height": "50px", - "id": 13, - "links": [], - "mode": "html", - "style": { - "font-size": "18pt" - }, - "title": "", - "transparent": true, - "type": "text" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 0, - "y": 3 - }, - "id": 20, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Global Request Volume", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 80, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": false - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 6, - "y": 3 - }, - "id": 21, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "95, 99, 99.5", - "title": "Global Success Rate (non-5xx responses)", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 12, - "y": 3 - }, - "id": 22, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "4xxs", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 3, - "w": 6, - "x": 18, - "y": 3 - }, - "id": 23, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "5xxs", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "columns": [], - "datasource": "Prometheus", - "fontSize": "100%", - "gridPos": { - "h": 21, - "w": 24, - "x": 0, - "y": 6 - }, - "hideTimeOverride": false, - "id": 73, - "links": [], - "pageSize": null, - "repeat": null, - "repeatDirection": "v", - "scroll": true, - "showHeader": true, - "sort": { - "col": 4, - "desc": true - }, - "styles": [ - { - "alias": "Workload", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": false, - "linkTargetBlank": false, - "linkTooltip": "Workload dashboard", - "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", - "pattern": "destination_workload", - "preserveFormat": false, - "sanitize": false, - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Time", - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "Requests", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #A", - "thresholds": [], - "type": "number", - "unit": "ops" - }, - { - "alias": "P50 Latency", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #B", - "thresholds": [], - "type": "number", - "unit": "s" - }, - { - "alias": "P90 Latency", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #D", - "thresholds": [], - "type": "number", - "unit": "s" - }, - { - "alias": "P99 Latency", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #E", - "thresholds": [], - "type": "number", - "unit": "s" - }, - { - "alias": "Success Rate", - "colorMode": "cell", - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #F", - "thresholds": [ - ".95", - " 1.00" - ], - "type": "number", - "unit": "percentunit" - }, - { - "alias": "Workload", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": true, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", - "pattern": "destination_workload_var", - "thresholds": [], - "type": "number", - "unit": "short" - }, - { - "alias": "Service", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": true, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", - "pattern": "destination_service", - "thresholds": [], - "type": "string", - "unit": "short" - }, - { - "alias": "", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "destination_workload_namespace", - "thresholds": [], - "type": "hidden", - "unit": "short" - } - ], - "targets": [ - { - "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", - "refId": "A" - }, - { - "expr": "label_join((histogram_quantile(0.50, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", - "refId": "B" - }, - { - "expr": "label_join((histogram_quantile(0.90, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", - "refId": "D" - }, - { - "expr": "label_join((histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", - "refId": "E" - }, - { - "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", - "refId": "F" - } - ], - "timeFrom": null, - "title": "HTTP/GRPC Workloads", - "transform": "table", - "transparent": false, - "type": "table" - }, - { - "columns": [], - "datasource": "Prometheus", - "fontSize": "100%", - "gridPos": { - "h": 18, - "w": 24, - "x": 0, - "y": 27 - }, - "hideTimeOverride": false, - "id": 109, - "links": [], - "pageSize": null, - "repeatDirection": "v", - "scroll": true, - "showHeader": true, - "sort": { - "col": 2, - "desc": true - }, - "styles": [ - { - "alias": "Workload", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": false, - "linkTargetBlank": false, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", - "pattern": "destination_workload", - "preserveFormat": false, - "sanitize": false, - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "Bytes Sent", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #A", - "thresholds": [ - "" - ], - "type": "number", - "unit": "Bps" - }, - { - "alias": "Bytes Received", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Value #C", - "thresholds": [], - "type": "number", - "unit": "Bps" - }, - { - "alias": "", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "Time", - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "Workload", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": true, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", - "pattern": "destination_workload_var", - "thresholds": [], - "type": "string", - "unit": "short" - }, - { - "alias": "", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "pattern": "destination_workload_namespace", - "thresholds": [], - "type": "hidden", - "unit": "short" - }, - { - "alias": "Service", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "decimals": 2, - "link": true, - "linkTooltip": "$__cell dashboard", - "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", - "pattern": "destination_service", - "thresholds": [], - "type": "number", - "unit": "short" - } - ], - "targets": [ - { - "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}", - "refId": "C" - }, - { - "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", - "format": "table", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}", - "refId": "A" - } - ], - "timeFrom": null, - "title": "TCP Workloads", - "transform": "table", - "transparent": false, - "type": "table" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 9, - "w": 24, - "x": 0, - "y": 45 - }, - "id": 111, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build) by (component, tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ component }}: {{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Istio Components by Version", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "transparent": false, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "browser", - "title": "Istio Mesh Dashboard", - "version": 4 -} -' ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-istio-performance-dashboard - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - istio-performance-dashboard.json: '{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "id": 9, - "links": [], - "panels": [ - { - "collapsed": true, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 21, - "panels": [ - { - "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.\n\n\n", - "gridPos": { - "h": 6, - "w": 24, - "x": 0, - "y": 1 - }, - "id": 19, - "links": [], - "mode": "markdown", - "timeFrom": null, - "timeShift": null, - "title": "Performance Dashboard README", - "transparent": true, - "type": "text" - } - ], - "title": "Performance Dashboard Notes", - "type": "row" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 1 - }, - "id": 6, - "panels": [], - "title": "vCPU Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 2 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "istio-telemetry", - "refId": "A" - }, - { - "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "istio-ingressgateway", - "refId": "B" - }, - { - "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-proxy", - "refId": "C" - }, - { - "expr": "(sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-policy", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU / 1k rps", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 2 - }, - "id": 7, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-telemetry", - "refId": "A" - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-ingressgateway", - "refId": "B" - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-proxy", - "refId": "C" - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-policy", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 10 - }, - "id": 13, - "panels": [], - "title": "Memory and Data Rates", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 11 - }, - "id": 902, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-telemetry / 1k rps", - "refId": "A" - }, - { - "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "per istio-ingressgateway", - "refId": "B" - }, - { - "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",namespace!=\"istio-system\",container_name=\"istio-proxy\"})", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "per istio proxy", - "refId": "C" - }, - { - "expr": "(sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-policy / 1k rps", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory Usage", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 11 - }, - "id": 11, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-telemetry", - "refId": "A" - }, - { - "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-ingressgateway", - "refId": "B" - }, - { - "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio-proxy", - "refId": "C" - }, - { - "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "istio_policy", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Bytes transferred / sec", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 19 - }, - "id": 17, - "panels": [], - "title": "Istio Component Versions", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "fill": 1, - "gridPos": { - "h": 8, - "w": 24, - "x": 0, - "y": 20 - }, - "id": 15, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build) by (component, tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ component }}: {{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Istio Components by Version", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 31 - }, - "id": 71, - "panels": [], - "title": "Proxy Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 32 - }, - "id": 72, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=\"istio-proxy\"})", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 32 - }, - "id": 73, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=\"istio-proxy\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 32 - }, - "id": 702, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=\"istio-proxy\"})", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 39 - }, - "id": 69, - "panels": [], - "title": "Pilot Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 40 - }, - "id": 5, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=\"pilot\"}", - "format": "time_series", - "instant": false, - "intervalFactor": 2, - "legendFormat": "Virtual Memory", - "refId": "I", - "step": 2 - }, - { - "expr": "process_resident_memory_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory", - "refId": "H", - "step": 2 - }, - { - "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap sys", - "refId": "A" - }, - { - "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap alloc", - "refId": "D" - }, - { - "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc", - "refId": "F", - "step": 2 - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Heap in-use", - "refId": "E", - "step": 2 - }, - { - "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use", - "refId": "G", - "step": 2 - }, - { - "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "C", - "step": 2 - }, - { - "expr": "container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 40 - }, - "id": 602, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - }, - { - "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "pilot (self-reported)", - "refId": "C", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 40 - }, - "id": 74, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_open_fds{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "instant": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "Open FDs (pilot)", - "refId": "A" - }, - { - "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 40 - }, - "id": 402, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Number of Goroutines", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 47 - }, - "id": 93, - "panels": [], - "title": "Mixer Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 48 - }, - "id": 94, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "instant": false, - "intervalFactor": 2, - "legendFormat": "Virtual Memory", - "refId": "I", - "step": 2 - }, - { - "expr": "process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory", - "refId": "H", - "step": 2 - }, - { - "expr": "go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap sys", - "refId": "A" - }, - { - "expr": "go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap alloc", - "refId": "D" - }, - { - "expr": "go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc", - "refId": "F", - "step": 2 - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Heap in-use", - "refId": "E", - "step": 2 - }, - { - "expr": "go_memstats_stack_inuse_bytes{job=~\"istio-policy|istio-telemetry\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use", - "refId": "G", - "step": 2 - }, - { - "expr": "sum(container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"})", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "C", - "step": 2 - }, - { - "expr": "container_memory_usage_bytes{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 48 - }, - "id": 95, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Total (k8s)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}[1m])) by (container_name)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ container_name }} (k8s)", - "refId": "B", - "step": 2 - }, - { - "expr": "irate(process_cpu_seconds_total{job=~\"istio-policy|istio-telemetry\"}[1m])", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "mixer (self-reported)", - "refId": "C", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "vCPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 48 - }, - "id": 96, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_open_fds{job=~\"istio-policy|istio-telemetry\"}", - "format": "time_series", - "hide": true, - "instant": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "Open FDs (pilot)", - "refId": "A" - }, - { - "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ container_name }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 48 - }, - "id": 97, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"istio-telemetry\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Number of Goroutines", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "10s", - "schemaVersion": 18, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Performance Dashboard", - "uid": "vu8e0VWZk", - "version": 22 -} -' ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-istio-service-dashboard - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - istio-service-dashboard.json: '{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "iteration": 1536442501501, - "links": [], - "panels": [ - { - "content": "
\nSERVICE: $service\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 89, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 0, - "y": 3 - }, - "id": 12, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Client Request Volume", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(237, 129, 40, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "decimals": null, - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 80, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": false - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 6, - "y": 3 - }, - "id": 14, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "B" - } - ], - "thresholds": "95, 99, 99.5", - "title": "Client Success Rate (non-5xx responses)", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 4, - "w": 6, - "x": 12, - "y": 3 - }, - "id": 87, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": false, - "hideZero": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "interval": "", - "intervalFactor": 1, - "legendFormat": "P50", - "refId": "A" - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P90", - "refId": "B" - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P99", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Client Request Duration", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "Bps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 3 - }, - "id": 84, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "TCP Received Bytes", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 0, - "y": 7 - }, - "id": 97, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Server Request Volume", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(237, 129, 40, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "decimals": null, - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 80, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": false - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 6, - "y": 7 - }, - "id": 98, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "B" - } - ], - "thresholds": "95, 99, 99.5", - "title": "Server Success Rate (non-5xx responses)", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 4, - "w": 6, - "x": 12, - "y": 7 - }, - "id": 99, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": false, - "hideZero": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "interval": "", - "intervalFactor": 1, - "legendFormat": "P50", - "refId": "A" - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P90", - "refId": "B" - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P99", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Server Request Duration", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "Bps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 6, - "x": 18, - "y": 7 - }, - "id": 100, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "TCP Sent Bytes", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "content": "
\nCLIENT WORKLOADS\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 11 - }, - "id": 45, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 14 - }, - "id": 25, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Requests by Source And Response Code", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 14 - }, - "id": 26, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Success Rate (non-5xx responses) By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1.01", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 20 - }, - "id": 27, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Duration by Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 20 - }, - "id": 28, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 20 - }, - "id": 68, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 26 - }, - "id": 80, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Received from Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 26 - }, - "id": 82, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Sent to Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "
\nSERVICE WORKLOADS\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 32 - }, - "id": 69, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 35 - }, - "id": 90, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Requests by Destination And Response Code", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 35 - }, - "id": 91, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Success Rate (non-5xx responses) By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1.01", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 41 - }, - "id": 94, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Duration by Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 41 - }, - "id": 95, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 41 - }, - "id": 96, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 47 - }, - "id": 92, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Received from Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 47 - }, - "id": 93, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Sent to Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "10s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [ - { - "allValue": null, - "datasource": "Prometheus", - "hide": 0, - "includeAll": false, - "label": "Service", - "multi": false, - "name": "service", - "options": [], - "query": "label_values(destination_service)", - "refresh": 1, - "regex": "", - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Client Workload Namespace", - "multi": true, - "name": "srcns", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", - "refresh": 1, - "regex": "/.*namespace=\"([^\"]*).*/", - "sort": 2, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Client Workload", - "multi": true, - "name": "srcwl", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", - "refresh": 1, - "regex": "/.*workload=\"([^\"]*).*/", - "sort": 3, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Service Workload Namespace", - "multi": true, - "name": "dstns", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", - "refresh": 1, - "regex": "/.*namespace=\"([^\"]*).*/", - "sort": 2, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": { - "text": "All", - "value": "$__all" - }, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Service Workload", - "multi": true, - "name": "dstwl", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", - "refresh": 1, - "regex": "/.*workload=\"([^\"]*).*/", - "sort": 3, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Service Dashboard", - "uid": "LJ_uJAvmk", - "version": 1 -} -' ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-istio-workload-dashboard - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - istio-workload-dashboard.json: '{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "5.0.4" - }, - { - "type": "panel", - "id": "graph", - "name": "Graph", - "version": "5.0.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "singlestat", - "name": "Singlestat", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "text", - "name": "Text", - "version": "5.0.0" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "id": null, - "iteration": 1531345461465, - "links": [], - "panels": [ - { - "content": "
\nWORKLOAD: $workload.$namespace\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 89, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "datasource": "Prometheus", - "format": "ops", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 8, - "x": 0, - "y": 3 - }, - "id": 12, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "refId": "A", - "step": 4 - } - ], - "thresholds": "", - "title": "Incoming Request Volume", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "current" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "rgba(50, 172, 45, 0.97)", - "rgba(237, 129, 40, 0.89)", - "rgba(245, 54, 54, 0.9)" - ], - "datasource": "Prometheus", - "decimals": null, - "format": "percentunit", - "gauge": { - "maxValue": 100, - "minValue": 80, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": false - }, - "gridPos": { - "h": 4, - "w": 8, - "x": 8, - "y": 3 - }, - "id": 14, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))", - "format": "time_series", - "intervalFactor": 1, - "refId": "B" - } - ], - "thresholds": "95, 99, 99.5", - "title": "Incoming Success Rate (non-5xx responses)", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 4, - "w": 8, - "x": 16, - "y": 3 - }, - "id": 87, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": false, - "hideZero": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", - "format": "time_series", - "interval": "", - "intervalFactor": 1, - "legendFormat": "P50", - "refId": "A" - }, - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P90", - "refId": "B" - }, - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "P99", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Request Duration", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "Bps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 12, - "x": 0, - "y": 7 - }, - "id": 84, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "TCP Server Traffic", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "cacheTimeout": null, - "colorBackground": false, - "colorValue": false, - "colors": [ - "#299c46", - "rgba(237, 129, 40, 0.89)", - "#d44a3a" - ], - "datasource": "Prometheus", - "format": "Bps", - "gauge": { - "maxValue": 100, - "minValue": 0, - "show": false, - "thresholdLabels": false, - "thresholdMarkers": true - }, - "gridPos": { - "h": 4, - "w": 12, - "x": 12, - "y": 7 - }, - "id": 85, - "interval": null, - "links": [], - "mappingType": 1, - "mappingTypes": [ - { - "name": "value to text", - "value": 1 - }, - { - "name": "range to text", - "value": 2 - } - ], - "maxDataPoints": 100, - "nullPointMode": "connected", - "nullText": null, - "postfix": "", - "postfixFontSize": "50%", - "prefix": "", - "prefixFontSize": "50%", - "rangeMaps": [ - { - "from": "null", - "text": "N/A", - "to": "null" - } - ], - "sparkline": { - "fillColor": "rgba(31, 118, 189, 0.18)", - "full": true, - "lineColor": "rgb(31, 120, 193)", - "show": true - }, - "tableColumn": "", - "targets": [ - { - "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": "", - "title": "TCP Client Traffic", - "transparent": false, - "type": "singlestat", - "valueFontSize": "80%", - "valueMaps": [ - { - "op": "=", - "text": "N/A", - "value": "null" - } - ], - "valueName": "avg" - }, - { - "content": "
\nINBOUND WORKLOADS\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 11 - }, - "id": 45, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 14 - }, - "id": 25, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Requests by Source And Response Code", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 14 - }, - "id": 26, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Success Rate (non-5xx responses) By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1.01", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 20 - }, - "id": 27, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Duration by Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 20 - }, - "id": 28, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Request Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 20 - }, - "id": 68, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Size By Source", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 26 - }, - "id": 80, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Received from Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 26 - }, - "id": 82, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Sent to Incoming TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ] - }, - { - "content": "
\nOUTBOUND SERVICES\n
", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 32 - }, - "id": 69, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 35 - }, - "id": 70, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} : {{ response_code }}", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Outgoing Requests by Destination And Response Code", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 35 - }, - "id": 71, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{destination_service }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Outgoing Success Rate (non-5xx responses) By Destination", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "percentunit", - "label": null, - "logBase": 1, - "max": "1.01", - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 41 - }, - "id": 72, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": false, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Outgoing Request Duration by Destination", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 41 - }, - "id": 73, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Outgoing Request Size By Destination", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 41 - }, - "id": 74, - "legend": { - "alignAsTable": false, - "avg": false, - "current": false, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", - "refId": "D", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", - "refId": "B", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", - "refId": "C", - "step": 2 - }, - { - "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P50", - "refId": "E", - "step": 2 - }, - { - "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P90", - "refId": "F", - "step": 2 - }, - { - "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P95", - "refId": "G", - "step": 2 - }, - { - "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} P99", - "refId": "H", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Size By Destination", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 47 - }, - "id": 76, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Sent on Outgoing TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ] - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 47 - }, - "id": 78, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }} (🔐mTLS)", - "refId": "A", - "step": 2 - }, - { - "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ destination_service }}", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Bytes Received from Outgoing TCP Connection", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ] - } - ], - "refresh": "10s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [ - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": false, - "label": "Namespace", - "multi": false, - "name": "namespace", - "options": [], - "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", - "refresh": 1, - "regex": "/.*_namespace=\"([^\"]*).*/", - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": false, - "label": "Workload", - "multi": false, - "name": "workload", - "options": [], - "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", - "refresh": 1, - "regex": "/.*workload=\"([^\"]*).*/", - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Inbound Workload Namespace", - "multi": true, - "name": "srcns", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", - "refresh": 1, - "regex": "/.*namespace=\"([^\"]*).*/", - "sort": 2, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Inbound Workload", - "multi": true, - "name": "srcwl", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", - "refresh": 1, - "regex": "/.*workload=\"([^\"]*).*/", - "sort": 3, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - }, - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Destination Service", - "multi": true, - "name": "dstsvc", - "options": [], - "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", - "refresh": 1, - "regex": "/.*destination_service=\"([^\"]*).*/", - "sort": 4, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Workload Dashboard", - "uid": "UbsSZTDik", - "version": 1 -} -' ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-mixer-dashboard - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - mixer-dashboard.json: '{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "5.2.3" - }, - { - "type": "panel", - "id": "graph", - "name": "Graph", - "version": "5.0.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "5.0.0" - }, - { - "type": "panel", - "id": "text", - "name": "Text", - "version": "5.0.0" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "limit": 100, - "name": "Annotations & Alerts", - "showIn": 0, - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 1, - "id": null, - "iteration": 1543881232533, - "links": [], - "panels": [ - { - "content": "

Deployed Versions

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 0 - }, - "height": "40", - "id": 62, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 5, - "w": 24, - "x": 0, - "y": 3 - }, - "id": 64, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build{component=\"mixer\"}) by (tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Mixer Versions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "

Resource Usage

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 8 - }, - "height": "40", - "id": 29, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 11 - }, - "id": 5, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "instant": false, - "intervalFactor": 2, - "legendFormat": "Virtual Memory ({{ job }})", - "refId": "I" - }, - { - "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory ({{ job }})", - "refId": "H" - }, - { - "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap sys ({{ job }})", - "refId": "A" - }, - { - "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap alloc ({{ job }})", - "refId": "D" - }, - { - "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc ({{ job }})", - "refId": "F" - }, - { - "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Heap in-use ({{ job }})", - "refId": "E" - }, - { - "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use ({{ job }})", - "refId": "G" - }, - { - "expr": "sum(label_replace(container_memory_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ service }} total (k8s)", - "refId": "C" - }, - { - "expr": "sum(label_replace(container_memory_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ service }} - {{ container_name }} (k8s)", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 11 - }, - "id": 6, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ service }} total (k8s)", - "refId": "A" - }, - { - "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ service }} - {{ container_name }} (k8s)", - "refId": "B" - }, - { - "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "{{ job }} (self-reported)", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "CPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 11 - }, - "id": 7, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "hide": true, - "instant": false, - "interval": "", - "intervalFactor": 2, - "legendFormat": "Open FDs ({{ job }})", - "refId": "A" - }, - { - "expr": "sum(label_replace(container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ service }} - {{ container_name }}", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 11 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Number of Goroutines ({{ job }})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "

Mixer Overview

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 18 - }, - "height": "40px", - "id": 30, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 6, - "x": 0, - "y": 21 - }, - "id": 9, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "mixer (Total)", - "refId": "B" - }, - { - "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "mixer ({{ grpc_server_method }})", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Incoming Requests", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 6, - "x": 6, - "y": 21 - }, - "id": 8, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "{}", - "yaxis": 1 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ grpc_server_method }} 0.5", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ grpc_server_method }} 0.9", - "refId": "C" - }, - { - "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ grpc_server_method }} 0.99", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Response Durations", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ms", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 6, - "x": 12, - "y": 21 - }, - "id": 11, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Mixer {{ grpc_method }}", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Server Error Rate (5xx responses)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 6, - "w": 6, - "x": 18, - "y": 21 - }, - "id": 12, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Mixer {{ grpc_method }}", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Non-successes (4xxs)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "

Adapters and Config

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 27 - }, - "id": 28, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 30 - }, - "id": 13, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ adapter }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Adapter Dispatch Count", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 30 - }, - "id": 14, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ adapter }} - p50", - "refId": "A" - }, - { - "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ adapter }} - p90 ", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ adapter }} - p99", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Adapter Dispatch Duration", - "tooltip": { - "shared": true, - "sort": 1, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 37 - }, - "id": 60, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Rules", - "refId": "A" - }, - { - "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Config Errors", - "refId": "B" - }, - { - "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Match Errors", - "refId": "C" - }, - { - "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Unsatisfied Actions", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Rules", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 37 - }, - "id": 56, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Instances", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Instances in Latest Config", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 37 - }, - "id": 54, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Handlers", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Handlers in Latest Config", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 37 - }, - "id": 58, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", - "format": "time_series", - "instant": false, - "intervalFactor": 1, - "legendFormat": "Attributes", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Attributes in Latest Config", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "content": "

Individual Adapters

", - "gridPos": { - "h": 3, - "w": 24, - "x": 0, - "y": 44 - }, - "id": 23, - "links": [], - "mode": "html", - "title": "", - "transparent": true, - "type": "text" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 47 - }, - "id": 46, - "panels": [], - "repeat": "adapter", - "title": "$adapter Adapter", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 48 - }, - "id": 17, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "{{ handler }} (error: {{ error }})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Dispatch Count By Handler", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 48 - }, - "id": 18, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", - "refId": "A" - }, - { - "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", - "refId": "D" - }, - { - "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", - "refId": "E" - } - ], - "thresholds": [], - "timeFrom": null, - "timeShift": null, - "title": "Dispatch Duration By Handler", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 16, - "style": "dark", - "tags": [], - "templating": { - "list": [ - { - "allValue": null, - "current": {}, - "datasource": "Prometheus", - "hide": 0, - "includeAll": true, - "label": "Adapter", - "multi": true, - "name": "adapter", - "options": [], - "query": "label_values(adapter)", - "refresh": 2, - "regex": "", - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } - ] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "", - "title": "Istio Mixer Dashboard", - "version": 4 -} -' ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana-configuration-dashboards-pilot-dashboard - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - pilot-dashboard.json: '{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": false, - "gnetId": null, - "graphTooltip": 1, - "id": 11, - "links": [], - "panels": [ - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 60, - "panels": [], - "title": "Deployed Versions", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 5, - "w": 24, - "x": 0, - "y": 1 - }, - "id": 56, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(istio_build{component=\"pilot\"}) by (tag)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{ tag }}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Pilot Versions", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 6 - }, - "id": 62, - "panels": [], - "title": "Resource Usage", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 0, - "y": 7 - }, - "id": 5, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "process_virtual_memory_bytes{job=\"pilot\"}", - "format": "time_series", - "instant": false, - "intervalFactor": 2, - "legendFormat": "Virtual Memory", - "refId": "I", - "step": 2 - }, - { - "expr": "process_resident_memory_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Resident Memory", - "refId": "H", - "step": 2 - }, - { - "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap sys", - "refId": "A" - }, - { - "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": true, - "intervalFactor": 2, - "legendFormat": "heap alloc", - "refId": "D" - }, - { - "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Alloc", - "refId": "F", - "step": 2 - }, - { - "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Heap in-use", - "refId": "E", - "step": 2 - }, - { - "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Stack in-use", - "refId": "G", - "step": 2 - }, - { - "expr": "container_memory_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"discovery\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Discovery (container)", - "refId": "B", - "step": 2 - }, - { - "expr": "container_memory_usage_bytes{job=\"kubernetes-cadvisor\", container_name=~\"istio-proxy\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Sidecar (container)", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Memory", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 6, - "y": 7 - }, - "id": 6, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=\"discovery\", pod_name=~\"istio-pilot-.*\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Discovery (container)", - "refId": "A" - }, - { - "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Discovery (process)", - "refId": "C", - "step": 2 - }, - { - "expr": "sum(irate(container_cpu_usage_seconds_total{job=\"kubernetes-cadvisor\",container_name=\"istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 2, - "legendFormat": "Sidecar (container)", - "refId": "B", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "CPU", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 12, - "y": 7 - }, - "id": 7, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=\"discovery\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Discovery", - "refId": "B", - "step": 2 - }, - { - "expr": "container_fs_usage_bytes{job=\"kubernetes-cadvisor\", container_name=\"istio-proxy\", pod_name=~\"istio-pilot-.*\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Sidecar", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Disk", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "decimals": null, - "format": "none", - "label": "", - "logBase": 1024, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 7, - "w": 6, - "x": 18, - "y": 7 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "go_goroutines{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "Number of Goroutines", - "refId": "A", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Goroutines", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 14 - }, - "id": 58, - "panels": [], - "title": "Pilot Push Information", - "type": "row" - }, - { - "aliasColors": {}, - "bars": true, - "dashLength": 10, - "dashes": false, - "description": "Shows the rate of pilot pushes", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 0, - "y": 15 - }, - "id": 622, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": false, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "paceLength": 10, - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": true, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(pilot_xds_pushes{type=\"cds\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Cluster", - "refId": "C" - }, - { - "expr": "sum(irate(pilot_xds_pushes{type=\"eds\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Endpoints", - "refId": "D" - }, - { - "expr": "sum(irate(pilot_xds_pushes{type=\"lds\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Listeners", - "refId": "A" - }, - { - "expr": "sum(irate(pilot_xds_pushes{type=\"rds\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Routes", - "refId": "E" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Pilot Pushes", - "tooltip": { - "shared": false, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [ - "total" - ] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "Captures a variety of pilot errors", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 8, - "y": 15 - }, - "id": 67, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(pilot_xds_cds_reject{job=\"pilot\"}) or (absent(pilot_xds_cds_reject{job=\"pilot\"}) - 1)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Rejected CDS Configs", - "refId": "C" - }, - { - "expr": "sum(pilot_xds_eds_reject{job=\"pilot\"}) or (absent(pilot_xds_eds_reject{job=\"pilot\"}) - 1)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Rejected EDS Configs", - "refId": "D" - }, - { - "expr": "sum(pilot_xds_rds_reject{job=\"pilot\"}) or (absent(pilot_xds_rds_reject{job=\"pilot\"}) - 1)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Rejected RDS Configs", - "refId": "A" - }, - { - "expr": "sum(pilot_xds_lds_reject{job=\"pilot\"}) or (absent(pilot_xds_lds_reject{job=\"pilot\"}) - 1)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Rejected LDS Configs", - "refId": "B" - }, - { - "expr": "sum(rate(pilot_xds_write_timeout{job=\"pilot\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Write Timeouts", - "refId": "F" - }, - { - "expr": "sum(rate(pilot_total_xds_internal_errors{job=\"pilot\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Internal Errors", - "refId": "H" - }, - { - "expr": "sum(rate(pilot_total_xds_rejects{job=\"pilot\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Config Rejection Rate", - "refId": "E" - }, - { - "expr": "sum(rate(pilot_xds_push_context_errors{job=\"pilot\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Push Context Errors", - "refId": "K" - }, - { - "expr": "sum(rate(pilot_xds_pushes{type!~\"lds|cds|rds|eds\"}[1m])) by (type)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Push Errors ({{ type }})", - "refId": "L" - }, - { - "expr": "sum(rate(pilot_xds_push_errors{job=\"pilot\"}[1m])) by (type)", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Push Errors ({{ type }})", - "refId": "I" - }, - { - "expr": "sum(rate(pilot_xds_push_timeout{job=\"pilot\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Push Timeouts", - "refId": "G" - }, - { - "expr": "sum(rate(pilot_xds_push_timeout_failures{job=\"pilot\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Push Timeouts Failures", - "refId": "J" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Pilot Errors", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Shows the total time it takes to push a config update to a proxy", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 16, - "y": 15 - }, - "id": 624, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "histogram_quantile(0.5, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p50 ", - "refId": "A" - }, - { - "expr": "histogram_quantile(0.9, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p90", - "refId": "B" - }, - { - "expr": "histogram_quantile(0.99, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p99", - "refId": "C" - }, - { - "expr": "histogram_quantile(0.999, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p99.9", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Proxy Push Time", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "s", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 0, - "y": 23 - }, - "id": 45, - "legend": { - "avg": false, - "current": false, - "hideEmpty": true, - "hideZero": true, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null as zero", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Inbound Listeners", - "refId": "B" - }, - { - "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Outbound Listeners (http over current tcp)", - "refId": "A" - }, - { - "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Outbound Listeners (tcp over current tcp)", - "refId": "C" - }, - { - "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "Outbound Listeners (tcp over current http)", - "refId": "D" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Conflicts", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 8, - "y": 23 - }, - "id": 47, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "pilot_virt_services{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Virtual Services", - "refId": "A" - }, - { - "expr": "pilot_services{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Services", - "refId": "B" - }, - { - "expr": "pilot_xds{job=\"pilot\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Connected Endpoints", - "refId": "E" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "ADS Monitoring", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "columns": [], - "datasource": "Prometheus", - "description": "Clusters in this table do not have any endpoints known to pilot. This could be from referencing subsets that do not have any instances, or pods marked as NotReady", - "fontSize": "100%", - "gridPos": { - "h": 8, - "w": 8, - "x": 16, - "y": 23 - }, - "id": 51, - "links": [], - "pageSize": null, - "scroll": true, - "showHeader": true, - "sort": { - "col": null, - "desc": false - }, - "styles": [ - { - "alias": "Time", - "dateFormat": "YYYY-MM-DD HH:mm:ss", - "pattern": "Time", - "type": "date" - }, - { - "alias": "Clusters", - "colorMode": null, - "colors": [ - "rgba(245, 54, 54, 0.9)", - "rgba(237, 129, 40, 0.89)", - "rgba(50, 172, 45, 0.97)" - ], - "decimals": 2, - "pattern": "/.*/", - "thresholds": [], - "type": "number", - "unit": "short" - } - ], - "targets": [ - { - "expr": "sum(pilot_xds_eds_instances{job=\"pilot\", cluster=~\".+\\\\|.+\"}) by (cluster) < 1", - "format": "time_series", - "hide": false, - "instant": true, - "intervalFactor": 1, - "legendFormat": "{{cluster}}", - "refId": "B" - } - ], - "timeFrom": null, - "timeShift": null, - "title": "Clusters with no known endpoints", - "transform": "timeseries_aggregations", - "type": "table" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 31 - }, - "id": 64, - "panels": [], - "title": "Envoy Information", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "Shows details about Envoy proxies in the mesh", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 0, - "y": 32 - }, - "id": 40, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(irate(envoy_cluster_upstream_cx_total{cluster_name=\"xds-grpc\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "XDS Connections", - "refId": "C" - }, - { - "expr": "sum(irate(envoy_cluster_upstream_cx_connect_fail{cluster_name=\"xds-grpc\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "XDS Connection Failures", - "refId": "A" - }, - { - "expr": "sum(increase(envoy_server_hot_restart_epoch[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Envoy Restarts", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Envoy Details", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 8, - "y": 32 - }, - "id": 41, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", - "format": "time_series", - "intervalFactor": 2, - "legendFormat": "XDS Active Connections", - "refId": "C", - "step": 2 - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "XDS Active Connections", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": "Prometheus", - "description": "Shows the size of XDS requests and responses", - "fill": 1, - "gridPos": { - "h": 8, - "w": 8, - "x": 16, - "y": 32 - }, - "id": 42, - "legend": { - "avg": false, - "current": false, - "hideEmpty": false, - "hideZero": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 5, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "max(rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "XDS Response Bytes Max", - "refId": "D" - }, - { - "expr": "quantile(0.5, rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))", - "format": "time_series", - "hide": false, - "intervalFactor": 1, - "legendFormat": "XDS Response Bytes Average", - "refId": "B" - }, - { - "expr": "max(rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "XDS Request Bytes Max", - "refId": "A" - }, - { - "expr": "quantile(.5, rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "XDS Request Bytes Average", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "XDS Requests Size", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "Bps", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "ops", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": "5s", - "schemaVersion": 18, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-5m", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "30d" - ] - }, - "timezone": "browser", - "title": "Istio Pilot Dashboard", - "uid": "3--MLVZZk", - "version": 11 -}' ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-grafana - namespace: istio-system - labels: - app: grafana - release: istio - istio: grafana -data: - datasources.yaml: | - apiVersion: 1 - datasources: - - access: proxy - editable: true - isDefault: true - jsonData: - timeInterval: 5s - name: Prometheus - orgId: 1 - type: prometheus - url: http://prometheus:9090 - - dashboardproviders.yaml: | - apiVersion: 1 - providers: - - disableDeletion: false - folder: istio - name: istio - options: - path: /var/lib/grafana/dashboards/istio - orgId: 1 - type: file ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grafana - namespace: istio-system - labels: - app: grafana - release: istio -spec: - replicas: 1 - selector: - matchLabels: - app: grafana - template: - metadata: - labels: - app: grafana - chart: grafana - heritage: Tiller - release: istio-system - annotations: - sidecar.istio.io/inject: "false" - spec: - securityContext: - runAsUser: 472 - fsGroup: 472 - containers: - - name: grafana - image: "grafana/grafana:6.4.3" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 3000 - readinessProbe: - httpGet: - path: /api/health - port: 3000 - env: - - name: GRAFANA_PORT - value: "3000" - - name: GF_AUTH_BASIC_ENABLED - value: "false" - - name: GF_AUTH_ANONYMOUS_ENABLED - value: "true" - - name: GF_AUTH_ANONYMOUS_ORG_ROLE - value: Admin - - name: GF_PATHS_DATA - value: /data/grafana - resources: - requests: - cpu: 10m - - volumeMounts: - - name: data - mountPath: /data/grafana - - name: dashboards-istio-citadel-dashboard - mountPath: "/var/lib/grafana/dashboards/istio/citadel-dashboard.json" - subPath: citadel-dashboard.json - readOnly: true - - name: dashboards-istio-galley-dashboard - mountPath: "/var/lib/grafana/dashboards/istio/galley-dashboard.json" - subPath: galley-dashboard.json - readOnly: true - - name: dashboards-istio-istio-mesh-dashboard - mountPath: "/var/lib/grafana/dashboards/istio/istio-mesh-dashboard.json" - subPath: istio-mesh-dashboard.json - readOnly: true - - name: dashboards-istio-istio-performance-dashboard - mountPath: "/var/lib/grafana/dashboards/istio/istio-performance-dashboard.json" - subPath: istio-performance-dashboard.json - readOnly: true - - name: dashboards-istio-istio-service-dashboard - mountPath: "/var/lib/grafana/dashboards/istio/istio-service-dashboard.json" - subPath: istio-service-dashboard.json - readOnly: true - - name: dashboards-istio-istio-workload-dashboard - mountPath: "/var/lib/grafana/dashboards/istio/istio-workload-dashboard.json" - subPath: istio-workload-dashboard.json - readOnly: true - - name: dashboards-istio-mixer-dashboard - mountPath: "/var/lib/grafana/dashboards/istio/mixer-dashboard.json" - subPath: mixer-dashboard.json - readOnly: true - - name: dashboards-istio-pilot-dashboard - mountPath: "/var/lib/grafana/dashboards/istio/pilot-dashboard.json" - subPath: pilot-dashboard.json - readOnly: true - - name: config - mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" - subPath: datasources.yaml - - name: config - mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" - subPath: dashboardproviders.yaml - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - volumes: - - name: config - configMap: - name: istio-grafana - - name: data - emptyDir: {} - - name: dashboards-istio-citadel-dashboard - configMap: - name: istio-grafana-configuration-dashboards-citadel-dashboard - - name: dashboards-istio-galley-dashboard - configMap: - name: istio-grafana-configuration-dashboards-galley-dashboard - - name: dashboards-istio-istio-mesh-dashboard - configMap: - name: istio-grafana-configuration-dashboards-istio-mesh-dashboard - - name: dashboards-istio-istio-performance-dashboard - configMap: - name: istio-grafana-configuration-dashboards-istio-performance-dashboard - - name: dashboards-istio-istio-service-dashboard - configMap: - name: istio-grafana-configuration-dashboards-istio-service-dashboard - - name: dashboards-istio-istio-workload-dashboard - configMap: - name: istio-grafana-configuration-dashboards-istio-workload-dashboard - - name: dashboards-istio-mixer-dashboard - configMap: - name: istio-grafana-configuration-dashboards-mixer-dashboard - - name: dashboards-istio-pilot-dashboard - configMap: - name: istio-grafana-configuration-dashboards-pilot-dashboard ---- - - -apiVersion: authentication.istio.io/v1alpha1 -kind: Policy -metadata: - name: grafana-ports-mtls-disabled - namespace: istio-system - labels: - app: grafana - release: istio -spec: - targets: - - name: grafana - ports: - - number: 3000 ---- - - -apiVersion: v1 -kind: Service -metadata: - name: grafana - namespace: istio-system - annotations: - labels: - app: grafana - release: istio -spec: - type: ClusterIP - ports: - - port: 3000 - targetPort: 3000 - protocol: TCP - name: http - selector: - app: grafana ---- - -# Resources for IngressGateway component - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: istio-ingressgateway - chart: gateways - heritage: Tiller - istio: ingressgateway - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --drainDuration - - 45s - - --parentShutdownDuration - - 1m0s - - --connectTimeout - - 10s - - --serviceCluster - - istio-ingressgateway - - --zipkinAddress - - zipkin.istio-system:9411 - - --proxyAdminPort - - "15000" - - --statusPort - - "15020" - - --controlPlaneAuthPolicy - - NONE - - --discoveryAddress - - istio-pilot.istio-system:15010 - - --trust-domain=cluster.local - env: - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_META_ROUTER_MODE - value: sni-dnat - - name: ISTIO_METAJSON_LABELS - value: | - {"app":"istio-ingressgateway","istio":"ingressgateway"} - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: SDS_ENABLED - value: "false" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15020 - - containerPort: 80 - - containerPort: 443 - - containerPort: 15029 - - containerPort: 15030 - - containerPort: 15031 - - containerPort: 15032 - - containerPort: 15443 - - containerPort: 15011 - - containerPort: 8060 - - containerPort: 853 - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 10m - memory: 40Mi - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true - serviceAccountName: istio-ingressgateway-service-account - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.istio-ingressgateway-service-account - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs - ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: ingressgateway - namespace: istio-system - labels: - release: istio -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" - # Additional ports in gateaway for the ingressPorts - apps using dedicated port instead of hostname ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: ingressgateway - namespace: istio-system - labels: - app: istio-ingressgateway - release: istio - istio: ingressgateway -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - release: istio - istio: ingressgateway ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-ingressgateway - namespace: istio-system - annotations: - labels: - app: istio-ingressgateway - release: istio - istio: ingressgateway -spec: - type: LoadBalancer - selector: - app: istio-ingressgateway - ports: - - - name: status-port - port: 15020 - targetPort: 15020 - - - name: http2 - port: 80 - targetPort: 80 - - - name: https - port: 443 - - - name: kiali - port: 15029 - targetPort: 15029 - - - name: prometheus - port: 15030 - targetPort: 15030 - - - name: grafana - port: 15031 - targetPort: 15031 - - - name: tracing - port: 15032 - targetPort: 15032 - - - name: tls - port: 15443 - targetPort: 15443 ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-ingressgateway-service-account - namespace: istio-system - labels: - app: istio-ingressgateway - release: istio ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: Sidecar -metadata: - name: default - namespace: istio-system - labels: - release: istio -spec: - egress: - - hosts: - - "*/*" ---- - -# Resources for Injector component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-sidecar-injector-istio-system - labels: - app: sidecar-injector - release: istio - istio: sidecar-injector -rules: -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["istio-sidecar-injector"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - resourceNames: ["istio-sidecar-injector", "istio-sidecar-injector-istio-system"] - verbs: ["get", "list", "watch", "patch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-sidecar-injector-admin-role-binding-istio-system - labels: - app: sidecar-injector - release: istio - istio: sidecar-injector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-sidecar-injector-istio-system -subjects: - - kind: ServiceAccount - name: istio-sidecar-injector-service-account - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: injector-mesh - namespace: istio-system - labels: - release: istio -data: - # This is the 'mesh' config, loaded by the sidecar injector. - # It is a different configmap from pilot to allow a-la-carte install of the injector and follow the model - # of reducing blast-radius of config changes and avoiding globals. - - # Note that injector uses a subset of the mesh config only - for clarity this is only generating the - # required config, i.e. the defaultConfig section. See injection-template .ProxyConfig settings. - - - mesh: |- - # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get - # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. - sdsUdsPath: "" - - defaultConfig: - # - # TCP connection timeout between Envoy & the application, and between Envoys. - connectTimeout: 10s - # - ### ADVANCED SETTINGS ############# - # Where should envoy's configuration be stored in the istio-proxy container - configPath: "/etc/istio/proxy" - # The pseudo service name used for Envoy. - serviceCluster: istio-proxy - # These settings that determine how long an old Envoy - # process should be kept alive after an occasional reload. - drainDuration: 45s - parentShutdownDuration: 1m0s - # - # Port where Envoy listens (on local host) for admin commands - # You can exec into the istio-proxy container in a pod and - # curl the admin port (curl http://localhost:15000/) to obtain - # diagnostic information from Envoy. See - # https://lyft.github.io/envoy/docs/operations/admin.html - # for more details - proxyAdminPort: 15000 - # - # Set concurrency to a specific number to control the number of Proxy worker threads. - # If set to 0 (default), then start worker thread for each CPU thread/core. - concurrency: 2 - # - tracing: - zipkin: - # Address of the Zipkin collector - address: zipkin.istio-system:9411 - # - # Mutual TLS authentication between sidecars and istio control plane. - controlPlaneAuthPolicy: NONE - # - # Address where istio Pilot service is running - discoveryAddress: istio-pilot.istio-system:15010 ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: sidecarInjectorWebhook - istio: sidecar-injector - release: istio - name: istio-sidecar-injector - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: sidecar-injector - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: sidecarInjectorWebhook - chart: sidecarInjectorWebhook - heritage: Tiller - istio: sidecar-injector - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - --caCertFile=/etc/istio/certs/root-cert.pem - - --tlsCertFile=/etc/istio/certs/cert-chain.pem - - --tlsKeyFile=/etc/istio/certs/key.pem - - --injectConfig=/etc/istio/inject/config - - --meshConfig=/etc/istio/config/mesh - - --port=9443 - - --healthCheckInterval=2s - - --healthCheckFile=/tmp/health - - --reconcileWebhookConfig=true - - --webhookConfigName=istio-sidecar-injector - - --log_output_level=debug - image: docker.io/istio/sidecar_injector:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /usr/local/bin/sidecar-injector - - probe - - --probe-path=/tmp/health - - --interval=4s - initialDelaySeconds: 4 - periodSeconds: 4 - name: sidecar-injector-webhook - readinessProbe: - exec: - command: - - /usr/local/bin/sidecar-injector - - probe - - --probe-path=/tmp/health - - --interval=4s - initialDelaySeconds: 4 - periodSeconds: 4 - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - readOnly: true - - mountPath: /etc/istio/certs - name: certs - readOnly: true - - mountPath: /etc/istio/inject - name: inject-config - readOnly: true - serviceAccountName: istio-sidecar-injector-service-account - volumes: - - configMap: - name: injector-mesh - name: config-volume - - name: certs - secret: - secretName: istio.istio-sidecar-injector-service-account - - configMap: - items: - - key: config - path: config - - key: values - path: values - name: istio-sidecar-injector - name: inject-config - ---- - - -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-sidecar-injector - - labels: - app: sidecar-injector - release: istio -webhooks: - - name: sidecar-injector.istio.io - clientConfig: - service: - name: istio-sidecar-injector - namespace: istio-system - path: "/inject" - caBundle: "" - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - namespaceSelector: - matchLabels: - istio-injection: enabled ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - app: sidecar-injector - release: istio - istio: sidecar-injector -spec: - minAvailable: 1 - selector: - matchLabels: - app: sidecar-injector - release: istio - istio: sidecar-injector ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - app: sidecarInjectorWebhook - release: istio - istio: sidecar-injector -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - istio: sidecar-injector ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-sidecar-injector-service-account - namespace: istio-system - labels: - app: sidecarInjectorWebhook - release: istio - istio: sidecar-injector ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - release: istio - app: sidecar-injector - istio: sidecar-injector -data: - values: |- - {"certmanager":{"enabled":false,"hub":"quay.io/jetstack","image":"cert-manager-controller","namespace":"istio-system","tag":"v0.6.2"},"clusterResources":true,"cni":{"namespace":"istio-system"},"galley":{"enableAnalysis":false,"enabled":true,"image":"galley","namespace":"istio-system"},"gateways":{"istio-egressgateway":{"autoscaleEnabled":false,"enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"namespace":"istio-system","ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"type":"ClusterIP","zvpn":{"enabled":true,"suffix":"global"}},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":false,"debug":"info","domain":"","enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"namespace":"istio-system","ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"type":"LoadBalancer","zvpn":{"enabled":true,"suffix":"global"}}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configNamespace":"istio-system","configValidation":true,"controlPlaneSecurityEnabled":false,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"disablePolicyChecks":false,"enableHelmTest":false,"enableTracing":true,"enabled":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"istioNamespace":"istio-system","k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logAsJson":false,"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshNetworks":{},"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"namespace":"istio-system","network":"","omitSidecarInjectorConfigMap":false,"oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"policyNamespace":"istio-system","priorityClassName":"","prometheusNamespace":"istio-system","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"/dev/stdout","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"misc:error","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"envoyAccessLogService":{"enabled":false},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","kubevirtInterfaces":"","logLevel":"warning","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"10m","memory":"40Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2","resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"securityNamespace":"istio-system","tag":"1.4.5","telemetryNamespace":"istio-system","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"cluster.local","useMCP":true},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1}},"enabled":true,"env":{},"envSecrets":{},"image":{"repository":"grafana/grafana","tag":"6.4.3"},"ingress":{"enabled":false,"hosts":["grafana.local"]},"namespace":"istio-system","nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"namespace":"istio-system"},"kiali":{"contextPath":"/kiali","createDemoSecret":true,"dashboard":{"passphraseKey":"passphrase","secretName":"kiali","usernameKey":"username","viewOnlyMode":false},"enabled":true,"hub":"quay.io/kiali","ingress":{"enabled":false,"hosts":["kiali.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.9"},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stackdriver":{"auth":{"apiKey":"","appCredentials":false,"serviceAccountPath":""},"enabled":false,"tracer":{"enabled":false,"sampleProbability":1}},"stdio":{"enabled":true,"outputAsJson":false},"useAdapterCRDs":false},"policy":{"adapters":{"kubernetesenv":{"enabled":true},"useAdapterCRDs":false},"autoscaleEnabled":false,"enabled":true,"image":"mixer","namespace":"istio-system","sessionAffinityEnabled":false},"telemetry":{"autoscaleEnabled":false,"enabled":true,"env":{"GOMAXPROCS":"6"},"image":"mixer","loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","sessionAffinityEnabled":false,"tolerations":[],"useMCP":true}},"nodeagent":{"enabled":false,"image":"node-agent-k8s","namespace":"istio-system"},"pilot":{"appNamespaces":[],"autoscaleEnabled":false,"autoscaleMax":5,"autoscaleMin":1,"configMap":true,"configNamespace":"istio-config","cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{},"image":"pilot","ingress":{"ingressClass":"istio","ingressControllerMode":"OFF","ingressService":"istio-ingressgateway"},"keepaliveMaxServerConnectionAge":"30m","meshNetworks":{"networks":{}},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"enabled":false},"replicaCount":1,"tolerations":[],"traceSampling":1,"useMCP":true},"prometheus":{"contextPath":"/prometheus","enabled":true,"hub":"docker.io/prom","ingress":{"enabled":false,"hosts":["prometheus.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"tag":"v2.12.0","tolerations":[]},"security":{"dnsCerts":{"istio-pilot-service-account.istio-control":"istio-pilot.istio-control"},"enableNamespacesByDefault":true,"enabled":true,"image":"citadel","namespace":"istio-system","selfSigned":true,"trustDomain":"cluster.local"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"image":"sidecar_injector","injectLabel":"istio-injection","injectedAnnotations":{},"lifecycle":{},"namespace":"istio-system","neverInjectSelector":[],"nodeSelector":{},"objectSelector":{"autoInject":true,"enabled":false},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":false,"tolerations":[]},"telemetry":{"enabled":true,"v1":{"enabled":true},"v2":{"enabled":false,"prometheus":{"enabled":true},"stackdriver":{"configOverride":{},"enabled":false,"logging":false,"monitoring":false,"topology":false}}},"tracing":{"enabled":true,"ingress":{"enabled":false},"jaeger":{"accessMode":"ReadWriteMany","enabled":true,"hub":"docker.io/jaegertracing","memory":{"max_traces":50000},"namespace":"istio-system","persist":false,"spanStorageType":"badger","storageClassName":"","tag":"1.14"},"nodeSelector":{},"opencensus":{"exporters":{"stackdriver":{"enable_tracing":true}},"hub":"docker.io/omnition","resources":{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"200m","memory":"400Mi"}},"tag":"0.1.9"},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":9411,"name":"http-query","type":"ClusterIP"},"zipkin":{"hub":"docker.io/openzipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}},"version":""} - - config: |- - policy: enabled - alwaysInjectSelector: - [] - neverInjectSelector: - [] - template: | - {{- $cniDisabled := (not .Values.istio_cni.enabled) }} - {{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }} - {{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }} - rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} - {{- if $enableInitContainer }} - initContainers: - {{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if $cniRepairEnabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - command: - {{- if $cniRepairEnabled }} - - istio-iptables-go - {{- else }} - - istio-iptables - {{- end }} - - "-p" - - "15001" - - "-z" - - "15006" - - "-u" - - 1337 - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - - "-d" - - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if $cniRepairEnabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{- if .Values.global.proxy_init.resources }} - resources: - {{ toYaml .Values.global.proxy_init.resources | indent 4 }} - {{- else }} - resources: {} - {{- end }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not $cniRepairEnabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - readOnlyRootFilesystem: false - {{- if not $cniRepairEnabled }} - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - restartPolicy: Always - {{ end -}} - {{- if eq .Values.global.proxy.enableCoreDump true }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - resources: {} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --configPath - - "/etc/istio/proxy" - - --binaryPath - - "/usr/local/bin/envoy" - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - - --drainDuration - - "{{ formatDuration .ProxyConfig.DrainDuration }}" - - --parentShutdownDuration - - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" - - --discoveryAddress - - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" - {{- if eq .Values.global.proxy.tracer "lightstep" }} - - --lightstepAddress - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" - - --lightstepAccessToken - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" - - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} - - --lightstepCacertPath - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - - --zipkinAddress - - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" - {{- else if eq .Values.global.proxy.tracer "datadog" }} - - --datadogAgentAddress - - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" - {{- end }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} - - --connectTimeout - - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" - {{- if .Values.global.proxy.envoyStatsd.enabled }} - - --statsdUdpAddress - - "{{ .ProxyConfig.StatsdUdpAddress }}" - {{- end }} - {{- if .Values.global.proxy.envoyMetricsService.enabled }} - - --envoyMetricsServiceAddress - - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" - {{- end }} - {{- if .Values.global.proxy.envoyAccessLogService.enabled }} - - --envoyAccessLogServiceAddress - - "{{ .ProxyConfig.GetEnvoyAccessLogService.GetAddress }}" - {{- end }} - - --proxyAdminPort - - "{{ .ProxyConfig.ProxyAdminPort }}" - {{ if gt .ProxyConfig.Concurrency 0 -}} - - --concurrency - - "{{ .ProxyConfig.Concurrency }}" - {{ end -}} - {{- if .Values.global.controlPlaneSecurityEnabled }} - - --controlPlaneAuthPolicy - - MUTUAL_TLS - {{- else }} - - --controlPlaneAuthPolicy - - NONE - {{- end }} - - --dnsRefreshRate - - {{ valueOrDefault .Values.global.proxy.dnsRefreshRate "300s" }} - {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} - - --statusPort - - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" - - --applicationPorts - - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" - - {{- end }} - {{- if .Values.global.trustDomain }} - - --trust-domain={{ .Values.global.trustDomain }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - --templateFile=/etc/istio/custom-bootstrap/envoy_bootstrap.json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} - {{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- if eq .Values.global.proxy.tracer "datadog" }} - {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- end }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SDS_ENABLED - value: "{{ .Values.global.sds.enabled }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - - name: ISTIO_META_INCLUDE_INBOUND_PORTS - value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} - {{ if .ObjectMeta.Labels }} - - name: ISTIO_METAJSON_LABELS - value: | - {{ toJSON .ObjectMeta.Labels }} - {{ end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{ .DeploymentMeta.Name }} - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.sds.customTokenDirectory }} - - name: ISTIO_META_SDS_TOKEN_PATH - value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if .Values.global.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.trustDomain }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - add: - - NET_ADMIN - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} - runAsGroup: 1337 - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - resources: - {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end}} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{ else -}} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 4 }} - {{- end }} - {{ end -}} - volumeMounts: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if .Values.global.sds.enabled }} - - mountPath: /var/run/sds - name: sds-uds-path - readOnly: true - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.sds.customTokenDirectory }} - - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" - name: custom-sds-token - readOnly: true - {{- end }} - {{- else }} - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{- end }} - volumes: - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - - emptyDir: - medium: Memory - name: istio-envoy - {{- if .Values.global.sds.enabled }} - - name: sds-uds-path - hostPath: - path: /var/run/sds - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if .Values.global.sds.customTokenDirectory }} - - name: custom-sds-token - secret: - secretName: sdstokensecret - {{- end }} - {{- else }} - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 2 }} - {{ end }} - {{ end }} - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.podDNSSearchNamespaces }} - dnsConfig: - searches: - {{- range .Values.global.podDNSSearchNamespaces }} - - {{ render . }} - {{- end }} - {{- end }} - injectedAnnotations: ---- - -# Resources for Kiali component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali - labels: - app: kiali - release: istio -rules: - - apiGroups: [""] - resources: - - configmaps - - endpoints - - namespaces - - nodes - - pods - - pods/log - - replicationcontrollers - - services - verbs: - - get - - list - - watch - - apiGroups: ["extensions", "apps"] - resources: - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch - - apiGroups: - - config.istio.io - - networking.istio.io - - authentication.istio.io - - rbac.istio.io - - security.istio.io - resources: ["*"] - verbs: - - create - - delete - - get - - list - - patch - - watch - - apiGroups: ["monitoring.kiali.io"] - resources: - - monitoringdashboards - verbs: - - get - - list ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kiali-viewer - labels: - app: kiali - release: istio -rules: - - apiGroups: [""] - resources: - - configmaps - - endpoints - - namespaces - - nodes - - pods - - pods/log - - replicationcontrollers - - services - verbs: - - get - - list - - watch - - apiGroups: ["extensions", "apps"] - resources: - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch - - apiGroups: - - config.istio.io - - networking.istio.io - - authentication.istio.io - - rbac.istio.io - - security.istio.io - resources: ["*"] - verbs: - - get - - list - - watch - - apiGroups: ["monitoring.kiali.io"] - resources: - - monitoringdashboards - verbs: - - get - - list ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kiali - labels: - app: kiali - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kiali -subjects: - - kind: ServiceAccount - name: kiali-service-account - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: kiali - namespace: istio-system - labels: - app: kiali - release: istio -data: - config.yaml: | - istio_component_namespaces: - grafana: istio-system - tracing: istio-system - pilot: istio-system - prometheus: istio-system - istio_namespace: istio-system - deployment: - accessible_namespaces: ['**'] - server: - port: 20001 - web_root: /kiali - external_services: - istio: - url_service_version: http://istio-pilot.istio-system:8080/version - tracing: - url: - grafana: - url: - prometheus: - url: http://prometheus.istio-system:9090 ---- - - -apiVersion: v1 -kind: Secret -metadata: - name: kiali - namespace: istio-system - labels: - app: kiali - release: istio -type: Opaque -data: - username: YWRtaW4= # admin - passphrase: YWRtaW4= # admin ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kiali - namespace: istio-system - labels: - app: kiali - release: istio -spec: - replicas: 1 - selector: - matchLabels: - app: kiali - template: - metadata: - name: kiali - labels: - app: kiali - release: istio - annotations: - sidecar.istio.io/inject: "false" - scheduler.alpha.kubernetes.io/critical-pod: "" - prometheus.io/scrape: "true" - prometheus.io/port: "9090" - kiali.io/runtimes: go,kiali - spec: - serviceAccountName: kiali-service-account - containers: - - image: "quay.io/kiali/kiali:v1.9" - imagePullPolicy: IfNotPresent - name: kiali - command: - - "/opt/kiali/kiali" - - "-config" - - "/kiali-configuration/config.yaml" - - "-v" - - "3" - readinessProbe: - httpGet: - path: /kiali/healthz - port: 20001 - scheme: 'HTTP' - initialDelaySeconds: 5 - periodSeconds: 30 - livenessProbe: - httpGet: - path: /kiali/healthz - port: 20001 - scheme: 'HTTP' - initialDelaySeconds: 5 - periodSeconds: 30 - env: - - name: ACTIVE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: kiali-configuration - mountPath: "/kiali-configuration" - - name: kiali-cert - mountPath: "/kiali-cert" - - name: kiali-secret - mountPath: "/kiali-secret" - resources: - requests: - cpu: 10m - - volumes: - - name: kiali-configuration - configMap: - name: kiali - - name: kiali-cert - secret: - secretName: istio.kiali-service-account - optional: true - - name: kiali-secret - secret: - secretName: kiali - optional: true - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x ---- - - -apiVersion: v1 -kind: Service -metadata: - name: kiali - namespace: istio-system - labels: - app: kiali - release: istio -spec: - ports: - - name: http-kiali - protocol: TCP - port: 20001 - selector: - app: kiali ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kiali-service-account - namespace: istio-system - labels: - app: kiali - release: istio ---- - -# NodeAgent component is disabled. - -# Resources for Pilot component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-pilot-istio-system - labels: - app: pilot - release: istio -rules: -- apiGroups: ["config.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["rbac.istio.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: ["security.istio.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: ["networking.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["authentication.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["*"] -- apiGroups: ["extensions"] - resources: ["ingresses", "ingresses/status"] - verbs: ["*"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] -- apiGroups: [""] - resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "get", "watch", "list", "update", "delete"] -- apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-pilot-istio-system - labels: - app: pilot - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-pilot-istio-system -subjects: - - kind: ServiceAccount - name: istio-pilot-service-account - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: istio-system - name: pilot-envoy-config - labels: - release: istio -data: - envoy.yaml.tmpl: |- - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 15000 - - static_resources: - clusters: - - name: in.15010 - http2_protocol_options: {} - connect_timeout: 1.000s - - hosts: - - socket_address: - address: 127.0.0.1 - port_value: 15010 - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - - # TODO: telemetry using EDS - # TODO: other pilots using EDS, load balancing - # TODO: galley using EDS - - - name: out.galley.15019 - http2_protocol_options: {} - connect_timeout: 1.000s - type: STRICT_DNS - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - hosts: - - socket_address: - address: istio-galley.istio-system - port_value: 15019 - - listeners: - - name: "in.15011" - address: - socket_address: - address: 0.0.0.0 - port_value: 15011 - filter_chains: - - filters: - - name: envoy.http_connection_manager - #typed_config - #"@type": "type.googleapis.com/", - config: - codec_type: HTTP2 - stat_prefix: "15011" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15011" - - virtual_hosts: - - name: istio-pilot - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: in.15010 - timeout: 0.000s - decorator: - operation: xDS - tls_context: - common_tls_context: - alpn_protocols: - - h2 - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - require_client_certificate: true - - - # Manual 'whitebox' mode - - name: "local.15019" - address: - socket_address: - address: 127.0.0.1 - port_value: 15019 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: HTTP2 - stat_prefix: "15019" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15019" - - virtual_hosts: - - name: istio-galley - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: out.galley.15019 - timeout: 0.000s ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: istio-system - labels: - release: istio -data: - - meshNetworks: |- - # Network config - networks: {} - - values.yaml: |- - appNamespaces: [] - autoscaleEnabled: false - autoscaleMax: 5 - autoscaleMin: 1 - configMap: true - configNamespace: istio-config - cpu: - targetAverageUtilization: 80 - enableProtocolSniffingForInbound: false - enableProtocolSniffingForOutbound: true - enabled: true - env: {} - image: pilot - ingress: - ingressClass: istio - ingressControllerMode: "OFF" - ingressService: istio-ingressgateway - keepaliveMaxServerConnectionAge: 30m - meshNetworks: - networks: {} - namespace: istio-system - nodeSelector: {} - plugins: [] - podAnnotations: {} - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - policy: - enabled: false - replicaCount: 1 - resources: - requests: - cpu: 500m - memory: 2048Mi - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - tolerations: [] - traceSampling: 1 - useMCP: true - - mesh: |- - # Set enableTracing to false to disable request tracing. - enableTracing: true - - # Set accessLogFile to empty string to disable access log. - accessLogFile: "/dev/stdout" - - accessLogFormat: "" - - accessLogEncoding: 'TEXT' - - enableEnvoyAccessLogService: false - mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 - mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 - # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. - # Default is false which means the traffic is denied when the client is unable to connect to Mixer. - policyCheckFailOpen: false - # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server - reportBatchMaxEntries: 100 - # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server - reportBatchMaxTime: 1s - disableMixerHttpReports: false - - # Set the following variable to true to disable policy checks by the Mixer. - # Note that metrics will still be reported to the Mixer. - disablePolicyChecks: false - - # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. - # Default is false which means the traffic is denied when the client is unable to connect to Mixer. - policyCheckFailOpen: false - - # Automatic protocol detection uses a set of heuristics to - # determine whether the connection is using TLS or not (on the - # server side), as well as the application protocol being used - # (e.g., http vs tcp). These heuristics rely on the client sending - # the first bits of data. For server first protocols like MySQL, - # MongoDB, etc., Envoy will timeout on the protocol detection after - # the specified period, defaulting to non mTLS plain TCP - # traffic. Set this field to tweak the period that Envoy will wait - # for the client to send the first bits of data. (MUST BE >=1ms) - protocolDetectionTimeout: 100ms - - # This is the k8s ingress service name, update if you used a different name - ingressService: "istio-ingressgateway" - ingressControllerMode: "OFF" - ingressClass: "istio" - - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The trust domain aliases represent the aliases of trust_domain. - # For example, if we have - # trustDomain: td1 - # trustDomainAliases: [“td2”, "td3"] - # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", - # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. - trustDomainAliases: - - # Set expected values when SDS is disabled - # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get - # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. - sdsUdsPath: "" - - # This flag is used by secret discovery service(SDS). - # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount - # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which - # will be used to generate key/cert eventually. This isn't supported for non-k8s case. - enableSdsTokenMount: false - - # This flag is used by secret discovery service(SDS). - # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' - # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) - # and pass to sds server, which will be used to request key/cert eventually. - # this flag is ignored if enableSdsTokenMount is set. - # This isn't supported for non-k8s case. - sdsUseK8sSaJwt: false - - # If true, automatically configure client side mTLS settings to match the corresponding service's - # server side mTLS authentication policy, when destination rule for that service does not specify - # TLS settings. - enableAutoMtls: false - config_sources: - - address: istio-galley.istio-system:9901 - - outboundTrafficPolicy: - mode: ALLOW_ANY - localityLbSetting: - enabled: true - - # Configures DNS certificates provisioned through Chiron linked into Pilot. - # The DNS certificate provisioning is enabled by default now so it get tested. - # TODO (lei-tang): we'll decide whether enable it by default or not before Istio 1.4 Release. - certificates: - [] - - defaultConfig: - # - # TCP connection timeout between Envoy & the application, and between Envoys. - connectTimeout: 10s - # - ### ADVANCED SETTINGS ############# - # Where should envoy's configuration be stored in the istio-proxy container - configPath: "/etc/istio/proxy" - # The pseudo service name used for Envoy. - serviceCluster: istio-proxy - # These settings that determine how long an old Envoy - # process should be kept alive after an occasional reload. - drainDuration: 45s - parentShutdownDuration: 1m0s - # - # Port where Envoy listens (on local host) for admin commands - # You can exec into the istio-proxy container in a pod and - # curl the admin port (curl http://localhost:15000/) to obtain - # diagnostic information from Envoy. See - # https://lyft.github.io/envoy/docs/operations/admin.html - # for more details - proxyAdminPort: 15000 - # - # Set concurrency to a specific number to control the number of Proxy worker threads. - # If set to 0 (default), then start worker thread for each CPU thread/core. - concurrency: 2 - # - tracing: - zipkin: - # Address of the Zipkin collector - address: zipkin.istio-system:9411 - # - # Mutual TLS authentication between sidecars and istio control plane. - controlPlaneAuthPolicy: NONE - # - # Address where istio Pilot service is running - discoveryAddress: istio-pilot.istio-system:15010 ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: pilot - istio: pilot - release: istio - name: istio-pilot - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: pilot - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: pilot - chart: pilot - heritage: Tiller - istio: pilot - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - discovery - - --monitoringAddr=:15014 - - --log_output_level=default:info - - --domain - - cluster.local - - --secureGrpcAddr - - "" - - --trust-domain=cluster.local - - --keepaliveMaxServerConnectionAge - - 30m - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: GODEBUG - value: gctrace=1 - - name: PILOT_TRACE_SAMPLING - value: "100" - - name: CONFIG_NAMESPACE - value: istio-config - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: "true" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: "false" - image: docker.io/istio/pilot:1.4.5 - imagePullPolicy: IfNotPresent - name: discovery - ports: - - containerPort: 8080 - - containerPort: 15010 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 30 - timeoutSeconds: 5 - resources: - requests: - cpu: 10m - memory: 100Mi - volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - serviceAccountName: istio-pilot-service-account - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.istio-pilot-service-account - - configMap: - name: istio - name: config-volume - - configMap: - name: pilot-envoy-config - name: pilot-envoy-config - ---- - - -apiVersion: "authentication.istio.io/v1alpha1" -kind: "MeshPolicy" -metadata: - name: "default" - labels: - release: istio -spec: - peers: - - mtls: - mode: PERMISSIVE ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-pilot - namespace: istio-system - labels: - app: pilot - release: istio - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: pilot - release: istio - istio: pilot ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-pilot - namespace: istio-system - labels: - app: pilot - release: istio - istio: pilot -spec: - ports: - - port: 15010 - name: grpc-xds # direct - - port: 15011 - name: https-xds # mTLS - - port: 8080 - name: http-legacy-discovery # direct - - port: 15014 - name: http-monitoring - selector: - istio: pilot ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-pilot-service-account - namespace: istio-system - labels: - app: pilot - release: istio ---- - -# Resources for Policy component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-policy - labels: - release: istio - app: istio-policy -rules: -- apiGroups: ["config.istio.io"] # istio CRD watcher - resources: ["*"] - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-policy-admin-role-binding-istio-system - labels: - app: istio-policy - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-policy -subjects: - - kind: ServiceAccount - name: istio-policy-service-account - namespace: istio-system ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-policy - namespace: istio-system - labels: - app: istio-policy - release: istio -spec: - host: istio-policy.istio-system.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 15004 # grpc-mixer-mtls - tls: - mode: ISTIO_MUTUAL - - port: - number: 9091 # grpc-mixer - tls: - mode: DISABLE - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: istio-system - name: policy-envoy-config - labels: - release: istio -data: - # Explicitly defined - moved from istio/istio/pilot/docker. - envoy.yaml.tmpl: |- - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 15000 - stats_config: - use_all_default_tags: false - stats_tags: - - tag_name: cluster_name - regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)' - - tag_name: tcp_prefix - regex: '^tcp\.((.*?)\.)\w+?$' - - tag_name: response_code - regex: '_rq(_(\d{3}))$' - - tag_name: response_code_class - regex: '_rq(_(\dxx))$' - - tag_name: http_conn_manager_listener_prefix - regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - tag_name: http_conn_manager_prefix - regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - tag_name: listener_address - regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - static_resources: - clusters: - - name: prometheus_stats - type: STATIC - connect_timeout: 0.250s - lb_policy: ROUND_ROBIN - hosts: - - socket_address: - protocol: TCP - address: 127.0.0.1 - port_value: 15000 - - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - connect_timeout: 1.000s - hosts: - - pipe: - path: /sock/mixer.socket - http2_protocol_options: {} - name: inbound_9092 - - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - connect_timeout: 1.000s - hosts: - - socket_address: - address: istio-telemetry - port_value: 15004 - http2_protocol_options: {} - name: mixer_report_server - type: STRICT_DNS - dns_lookup_family: V4_ONLY - - - name: out.galley.15019 - http2_protocol_options: {} - connect_timeout: 1.000s - type: STRICT_DNS - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - hosts: - - socket_address: - address: istio-galley.istio-system - port_value: 15019 - - listeners: - - name: "15090" - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 15090 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: AUTO - stat_prefix: stats - route_config: - virtual_hosts: - - name: backend - domains: - - '*' - routes: - - match: - prefix: /stats/prometheus - route: - cluster: prometheus_stats - http_filters: - - name: envoy.router - - - name: "15004" - address: - socket_address: - address: 0.0.0.0 - port_value: 15004 - filter_chains: - - filters: - - config: - codec_type: HTTP2 - http2_protocol_options: - max_concurrent_streams: 1073741824 - generate_request_id: true - http_filters: - - config: - default_destination_service: istio-policy.istio-system.svc.cluster.local - service_configs: - istio-policy.istio-system.svc.cluster.local: - disable_check_calls: true - {{- if .DisableReportCalls }} - disable_report_calls: true - {{- end }} - mixer_attributes: - attributes: - destination.service.host: - string_value: istio-policy.istio-system.svc.cluster.local - destination.service.uid: - string_value: istio://istio-system/services/istio-policy - destination.service.name: - string_value: istio-policy - destination.service.namespace: - string_value: istio-system - destination.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - destination.namespace: - string_value: istio-system - destination.ip: - bytes_value: {{ .PodIP }} - destination.port: - int64_value: 15004 - context.reporter.kind: - string_value: inbound - context.reporter.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - transport: - check_cluster: mixer_check_server - report_cluster: mixer_report_server - attributes_for_mixer_proxy: - attributes: - source.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - name: mixer - - name: envoy.router - route_config: - name: "15004" - virtual_hosts: - - domains: - - '*' - name: istio-policy.istio-system.svc.cluster.local - routes: - - decorator: - operation: Check - match: - prefix: / - route: - cluster: inbound_9092 - timeout: 0.000s - stat_prefix: "15004" - name: envoy.http_connection_manager - - - name: "9091" - address: - socket_address: - address: 0.0.0.0 - port_value: 9091 - filter_chains: - - filters: - - config: - codec_type: HTTP2 - http2_protocol_options: - max_concurrent_streams: 1073741824 - generate_request_id: true - http_filters: - - config: - default_destination_service: istio-policy.istio-system.svc.cluster.local - service_configs: - istio-policy.istio-system.svc.cluster.local: - disable_check_calls: true - {{- if .DisableReportCalls }} - disable_report_calls: true - {{- end }} - mixer_attributes: - attributes: - destination.service.host: - string_value: istio-policy.istio-system.svc.cluster.local - destination.service.uid: - string_value: istio://istio-system/services/istio-policy - destination.service.name: - string_value: istio-policy - destination.service.namespace: - string_value: istio-system - destination.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - destination.namespace: - string_value: istio-system - destination.ip: - bytes_value: {{ .PodIP }} - destination.port: - int64_value: 9091 - context.reporter.kind: - string_value: inbound - context.reporter.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - transport: - check_cluster: mixer_check_server - report_cluster: mixer_report_server - attributes_for_mixer_proxy: - attributes: - source.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - name: mixer - - name: envoy.router - route_config: - name: "9091" - virtual_hosts: - - domains: - - '*' - name: istio-policy.istio-system.svc.cluster.local - routes: - - decorator: - operation: Check - match: - prefix: / - route: - cluster: inbound_9092 - timeout: 0.000s - stat_prefix: "9091" - name: envoy.http_connection_manager - name: "9091" - - - name: "local.15019" - address: - socket_address: - address: 127.0.0.1 - port_value: 15019 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: HTTP2 - stat_prefix: "15019" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15019" - - virtual_hosts: - - name: istio-galley - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: out.galley.15019 - timeout: 0.000s ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istio-policy - istio: mixer - release: istio - name: istio-policy - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: mixer - istio-mixer-type: policy - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: policy - istio: mixer - istio-mixer-type: policy - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - --monitoringPort=15014 - - --address - - tcp://0.0.0.0:9091 - - --log_output_level=default:info - - --configStoreURL=mcp://istio-galley.istio-system.svc:9901 - - --configDefaultNamespace=istio-system - - --useAdapterCRDs=false - - --useTemplateCRDs=false - - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: docker.io/istio/mixer:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /version - port: 15014 - initialDelaySeconds: 5 - periodSeconds: 5 - name: mixer - ports: - - containerPort: 9091 - - containerPort: 15014 - - containerPort: 42422 - resources: - requests: - cpu: 10m - memory: 100Mi - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /sock - name: uds-socket - - mountPath: /var/run/secrets/istio.io/policy/adapter - name: policy-adapter-secret - readOnly: true - serviceAccountName: istio-policy-service-account - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.istio-policy-service-account - - emptyDir: {} - name: uds-socket - - name: policy-adapter-secret - secret: - optional: true - secretName: policy-adapter-secret - - configMap: - name: policy-envoy-config - name: policy-envoy-config - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-policy - namespace: istio-system - labels: - app: policy - release: istio - istio: mixer - istio-mixer-type: policy -spec: - minAvailable: 1 - selector: - matchLabels: - app: policy - istio: mixer - istio-mixer-type: policy ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-policy - namespace: istio-system - labels: - app: mixer - istio: mixer - release: istio -spec: - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-policy-monitoring - port: 15014 - selector: - istio: mixer - istio-mixer-type: policy ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-policy-service-account - namespace: istio-system - labels: - app: istio-policy - release: istio ---- - -# Resources for Prometheus component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: prometheus-istio-system - labels: - app: prometheus - release: istio -rules: -- apiGroups: [""] - resources: - - nodes - - services - - endpoints - - pods - - nodes/proxy - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: - - configmaps - verbs: ["get"] -- nonResourceURLs: ["/metrics"] - verbs: ["get"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: prometheus-istio-system - labels: - app: prometheus - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus-istio-system -subjects: -- kind: ServiceAccount - name: prometheus - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: prometheus - namespace: istio-system - labels: - app: prometheus - release: istio -data: - prometheus.yml: |- - global: - scrape_interval: 15s - scrape_configs: - - # Mixer scrapping. Defaults to Prometheus and mixer on same namespace. - # - - job_name: 'istio-mesh' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-telemetry;prometheus - - # Scrape config for envoy stats - - job_name: 'envoy-stats' - metrics_path: /stats/prometheus - kubernetes_sd_configs: - - role: pod - - relabel_configs: - - source_labels: [__meta_kubernetes_pod_container_port_name] - action: keep - regex: '.*-envoy-prom' - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:15090 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name - - - job_name: 'istio-policy' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-policy;http-policy-monitoring - - - job_name: 'istio-telemetry' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-telemetry;http-monitoring - - - job_name: 'pilot' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-pilot;http-monitoring - - - job_name: 'galley' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-galley;http-monitoring - - - job_name: 'citadel' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-citadel;http-monitoring - - # scrape config for API servers - - job_name: 'kubernetes-apiservers' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - default - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: kubernetes;https - - # scrape config for nodes (kubelet) - - job_name: 'kubernetes-nodes' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/${1}/proxy/metrics - - # Scrape config for Kubelet cAdvisor. - # - # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics - # (those whose names begin with 'container_') have been removed from the - # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to - # retrieve those metrics. - # - # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor - # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" - # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with - # the --cadvisor-port=0 Kubelet flag). - # - # This job is not necessary and should be removed in Kubernetes 1.6 and - # earlier versions, or it will cause the metrics to be scraped twice. - - job_name: 'kubernetes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor - - # scrape config for service endpoints. - - job_name: 'kubernetes-service-endpoints' - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] - action: keep - regex: true - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] - action: replace - target_label: __scheme__ - regex: (https?) - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] - action: replace - target_label: __address__ - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: kubernetes_namespace - - source_labels: [__meta_kubernetes_service_name] - action: replace - target_label: kubernetes_name - - - job_name: 'kubernetes-pods' - kubernetes_sd_configs: - - role: pod - relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true - - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] - action: drop - regex: (.+) - - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] - action: drop - regex: (true) - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name - - job_name: 'kubernetes-pods-istio-secure' - scheme: https - tls_config: - ca_file: /etc/istio-certs/root-cert.pem - cert_file: /etc/istio-certs/cert-chain.pem - key_file: /etc/istio-certs/key.pem - insecure_skip_verify: true # prometheus does not support secure naming. - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true - # sidecar status annotation is added by sidecar injector and - # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. - - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] - action: keep - regex: (([^;]+);([^;]*))|(([^;]*);(true)) - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__] # Only keep address that is host:port - action: keep # otherwise an extra target with ':443' is added for https scheme - regex: ([^:]+):(\d+) - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: prometheus - namespace: istio-system - labels: - app: prometheus - release: istio -spec: - replicas: 1 - selector: - matchLabels: - app: prometheus - template: - metadata: - labels: - app: prometheus - release: istio - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: prometheus - containers: - - name: prometheus - image: "docker.io/prom/prometheus:v2.12.0" - imagePullPolicy: IfNotPresent - args: - - '--storage.tsdb.retention=6h' - - '--config.file=/etc/prometheus/prometheus.yml' - ports: - - containerPort: 9090 - name: http - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - resources: - requests: - cpu: 10m - - volumeMounts: - - name: config-volume - mountPath: /etc/prometheus - - mountPath: /etc/istio-certs - name: istio-certs - volumes: - - name: config-volume - configMap: - name: prometheus - - name: istio-certs - secret: - defaultMode: 420 - secretName: istio.default - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x ---- - - -apiVersion: v1 -kind: Service -metadata: - name: prometheus - namespace: istio-system - annotations: - prometheus.io/scrape: 'true' - labels: - app: prometheus - release: istio -spec: - selector: - app: prometheus - ports: - - name: http-prometheus - protocol: TCP - port: 9090 ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: prometheus - namespace: istio-system - labels: - app: prometheus - release: istio ---- - -# PrometheusOperator component is disabled. - -# Resources for Telemetry component - -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: mixer - release: istio - name: istio-telemetry - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-telemetry - ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-mixer-istio-system - labels: - app: istio-telemetry - release: istio -rules: -- apiGroups: ["config.istio.io"] # istio CRD watcher - resources: ["*"] - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-mixer-admin-role-binding-istio-system - labels: - app: istio-telemetry - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-mixer-istio-system -subjects: - - kind: ServiceAccount - name: istio-mixer-service-account - namespace: istio-system ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: attributemanifest -metadata: - name: istioproxy - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - attributes: - origin.ip: - valueType: IP_ADDRESS - origin.uid: - valueType: STRING - origin.user: - valueType: STRING - request.headers: - valueType: STRING_MAP - request.id: - valueType: STRING - request.host: - valueType: STRING - request.method: - valueType: STRING - request.path: - valueType: STRING - request.url_path: - valueType: STRING - request.query_params: - valueType: STRING_MAP - request.reason: - valueType: STRING - request.referer: - valueType: STRING - request.scheme: - valueType: STRING - request.total_size: - valueType: INT64 - request.size: - valueType: INT64 - request.time: - valueType: TIMESTAMP - request.useragent: - valueType: STRING - response.code: - valueType: INT64 - response.duration: - valueType: DURATION - response.headers: - valueType: STRING_MAP - response.total_size: - valueType: INT64 - response.size: - valueType: INT64 - response.time: - valueType: TIMESTAMP - response.grpc_status: - valueType: STRING - response.grpc_message: - valueType: STRING - source.uid: - valueType: STRING - source.user: # DEPRECATED - valueType: STRING - source.principal: - valueType: STRING - destination.uid: - valueType: STRING - destination.principal: - valueType: STRING - destination.port: - valueType: INT64 - connection.event: - valueType: STRING - connection.id: - valueType: STRING - connection.received.bytes: - valueType: INT64 - connection.received.bytes_total: - valueType: INT64 - connection.sent.bytes: - valueType: INT64 - connection.sent.bytes_total: - valueType: INT64 - connection.duration: - valueType: DURATION - connection.mtls: - valueType: BOOL - connection.requested_server_name: - valueType: STRING - context.protocol: - valueType: STRING - context.proxy_error_code: - valueType: STRING - context.timestamp: - valueType: TIMESTAMP - context.time: - valueType: TIMESTAMP - # Deprecated, kept for compatibility - context.reporter.local: - valueType: BOOL - context.reporter.kind: - valueType: STRING - context.reporter.uid: - valueType: STRING - context.proxy_version: - valueType: STRING - api.service: - valueType: STRING - api.version: - valueType: STRING - api.operation: - valueType: STRING - api.protocol: - valueType: STRING - request.auth.principal: - valueType: STRING - request.auth.audiences: - valueType: STRING - request.auth.presenter: - valueType: STRING - request.auth.claims: - valueType: STRING_MAP - request.auth.raw_claims: - valueType: STRING - request.api_key: - valueType: STRING - rbac.permissive.response_code: - valueType: STRING - rbac.permissive.effective_policy_id: - valueType: STRING - check.error_code: - valueType: INT64 - check.error_message: - valueType: STRING - check.cache_hit: - valueType: BOOL - quota.cache_hit: - valueType: BOOL ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: attributemanifest -metadata: - name: kubernetes - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - attributes: - source.ip: - valueType: IP_ADDRESS - source.labels: - valueType: STRING_MAP - source.metadata: - valueType: STRING_MAP - source.name: - valueType: STRING - source.namespace: - valueType: STRING - source.owner: - valueType: STRING - source.serviceAccount: - valueType: STRING - source.services: - valueType: STRING - source.workload.uid: - valueType: STRING - source.workload.name: - valueType: STRING - source.workload.namespace: - valueType: STRING - destination.ip: - valueType: IP_ADDRESS - destination.labels: - valueType: STRING_MAP - destination.metadata: - valueType: STRING_MAP - destination.owner: - valueType: STRING - destination.name: - valueType: STRING - destination.container.name: - valueType: STRING - destination.namespace: - valueType: STRING - destination.service.uid: - valueType: STRING - destination.service.name: - valueType: STRING - destination.service.namespace: - valueType: STRING - destination.service.host: - valueType: STRING - destination.serviceAccount: - valueType: STRING - destination.workload.uid: - valueType: STRING - destination.workload.name: - valueType: STRING - destination.workload.namespace: - valueType: STRING ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: handler -metadata: - name: stdio - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledAdapter: stdio - params: - outputAsJson: false ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: accesslog - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: logentry - params: - severity: '"Info"' - timestamp: request.time - variables: - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | request.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - apiClaims: request.auth.raw_claims | "" - apiKey: request.api_key | request.headers["x-api-key"] | "" - protocol: request.scheme | context.protocol | "http" - method: request.method | "" - url: request.path | "" - responseCode: response.code | 0 - responseFlags: context.proxy_error_code | "" - responseSize: response.size | 0 - permissiveResponseCode: rbac.permissive.response_code | "none" - permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" - requestSize: request.size | 0 - requestId: request.headers["x-request-id"] | "" - clientTraceId: request.headers["x-client-trace-id"] | "" - latency: response.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - requestedServerName: connection.requested_server_name | "" - userAgent: request.useragent | "" - responseTimestamp: response.time - receivedBytes: request.total_size | 0 - sentBytes: response.total_size | 0 - referer: request.referer | "" - httpAuthority: request.headers[":authority"] | request.host | "" - xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - grpcStatus: response.grpc_status | "" - grpcMessage: response.grpc_message | "" - monitored_resource_type: '"global"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpaccesslog - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: logentry - params: - severity: '"Info"' - timestamp: context.time | timestamp("2017-01-01T00:00:00Z") - variables: - connectionEvent: connection.event | "" - sourceIp: source.ip | ip("0.0.0.0") - sourceApp: source.labels["app"] | "" - sourcePrincipal: source.principal | "" - sourceName: source.name | "" - sourceWorkload: source.workload.name | "" - sourceNamespace: source.namespace | "" - sourceOwner: source.owner | "" - destinationApp: destination.labels["app"] | "" - destinationIp: destination.ip | ip("0.0.0.0") - destinationServiceHost: destination.service.host | "" - destinationWorkload: destination.workload.name | "" - destinationName: destination.name | "" - destinationNamespace: destination.namespace | "" - destinationOwner: destination.owner | "" - destinationPrincipal: destination.principal | "" - protocol: context.protocol | "tcp" - connectionDuration: connection.duration | "0ms" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - requestedServerName: connection.requested_server_name | "" - receivedBytes: connection.received.bytes | 0 - sentBytes: connection.sent.bytes | 0 - totalReceivedBytes: connection.received.bytes_total | 0 - totalSentBytes: connection.sent.bytes_total | 0 - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - responseFlags: context.proxy_error_code | "" - monitored_resource_type: '"global"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: stdio - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "http" || context.protocol == "grpc" - actions: - - handler: stdio - instances: - - accesslog ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: stdiotcp - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" - actions: - - handler: stdio - instances: - - tcpaccesslog ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestcount - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestduration - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: response.duration | "0ms" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestsize - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: request.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: responsesize - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: response.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpbytesent - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: connection.sent.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpbytereceived - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: connection.received.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpconnectionsopened - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpconnectionsclosed - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: handler -metadata: - name: prometheus - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledAdapter: prometheus - params: - metricsExpirationPolicy: - metricsExpiryDuration: "10m" - metrics: - - name: requests_total - instance_name: requestcount.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - - name: request_duration_seconds - instance_name: requestduration.instance.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - explicit_buckets: - bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - - name: request_bytes - instance_name: requestsize.instance.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: response_bytes - instance_name: responsesize.instance.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: tcp_sent_bytes_total - instance_name: tcpbytesent.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_received_bytes_total - instance_name: tcpbytereceived.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_connections_opened_total - instance_name: tcpconnectionsopened.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_connections_closed_total - instance_name: tcpconnectionsclosed.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promhttp - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) - actions: - - handler: prometheus - instances: - - requestcount - - requestduration - - requestsize - - responsesize ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcp - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" - actions: - - handler: prometheus - instances: - - tcpbytesent - - tcpbytereceived ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcpconnectionopen - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" && ((connection.event | "na") == "open") - actions: - - handler: prometheus - instances: - - tcpconnectionsopened ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcpconnectionclosed - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" && ((connection.event | "na") == "close") - actions: - - handler: prometheus - instances: - - tcpconnectionsclosed ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: handler -metadata: - name: kubernetesenv - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledAdapter: kubernetesenv - params: - # when running from mixer root, use the following config after adding a - # symbolic link to a kubernetes config file via: - # - # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig - # - # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: kubeattrgenrulerule - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - actions: - - handler: kubernetesenv - instances: - - attributes ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: tcpkubeattrgenrulerule - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" - actions: - - handler: kubernetesenv - instances: - - attributes ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: attributes - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: kubernetes - params: - # Pass the required attribute data to the adapter - source_uid: source.uid | "" - source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr - destination_uid: destination.uid | "" - destination_port: destination.port | 0 - attributeBindings: - # Fill the new attributes from the adapter produced output. - # $out refers to an instance of OutputTemplate message - source.ip: $out.source_pod_ip | ip("0.0.0.0") - source.uid: $out.source_pod_uid | "unknown" - source.labels: $out.source_labels | emptyStringMap() - source.name: $out.source_pod_name | "unknown" - source.namespace: $out.source_namespace | "default" - source.owner: $out.source_owner | "unknown" - source.serviceAccount: $out.source_service_account_name | "unknown" - source.workload.uid: $out.source_workload_uid | "unknown" - source.workload.name: $out.source_workload_name | "unknown" - source.workload.namespace: $out.source_workload_namespace | "unknown" - destination.ip: $out.destination_pod_ip | ip("0.0.0.0") - destination.uid: $out.destination_pod_uid | "unknown" - destination.labels: $out.destination_labels | emptyStringMap() - destination.name: $out.destination_pod_name | "unknown" - destination.container.name: $out.destination_container_name | "unknown" - destination.namespace: $out.destination_namespace | "default" - destination.owner: $out.destination_owner | "unknown" - destination.serviceAccount: $out.destination_service_account_name | "unknown" - destination.workload.uid: $out.destination_workload_uid | "unknown" - destination.workload.name: $out.destination_workload_name | "unknown" - destination.workload.namespace: $out.destination_workload_namespace | "unknown" ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-telemetry - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - host: istio-telemetry.istio-system.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 15004 # grpc-mixer-mtls - tls: - mode: ISTIO_MUTUAL - - port: - number: 9091 # grpc-mixer - tls: - mode: DISABLE - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: istio-system - name: telemetry-envoy-config - labels: - release: istio -data: - # Explicitly defined - moved from istio/istio/pilot/docker. - envoy.yaml.tmpl: |- - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 15000 - stats_config: - use_all_default_tags: false - stats_tags: - - tag_name: cluster_name - regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)' - - tag_name: tcp_prefix - regex: '^tcp\.((.*?)\.)\w+?$' - - tag_name: response_code - regex: '_rq(_(\d{3}))$' - - tag_name: response_code_class - regex: '_rq(_(\dxx))$' - - tag_name: http_conn_manager_listener_prefix - regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - tag_name: http_conn_manager_prefix - regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - tag_name: listener_address - regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - static_resources: - clusters: - - name: prometheus_stats - type: STATIC - connect_timeout: 0.250s - lb_policy: ROUND_ROBIN - hosts: - - socket_address: - protocol: TCP - address: 127.0.0.1 - port_value: 15000 - - - name: inbound_9092 - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - connect_timeout: 1.000s - hosts: - - pipe: - path: /sock/mixer.socket - http2_protocol_options: {} - - - name: out.galley.15019 - http2_protocol_options: {} - connect_timeout: 1.000s - type: STRICT_DNS - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - hosts: - - socket_address: - address: istio-galley.istio-system - port_value: 15019 - - listeners: - - name: "15090" - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 15090 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: AUTO - stat_prefix: stats - route_config: - virtual_hosts: - - name: backend - domains: - - '*' - routes: - - match: - prefix: /stats/prometheus - route: - cluster: prometheus_stats - http_filters: - - name: envoy.router - - - name: "15004" - address: - socket_address: - address: 0.0.0.0 - port_value: 15004 - filter_chains: - - filters: - - config: - codec_type: HTTP2 - http2_protocol_options: - max_concurrent_streams: 1073741824 - generate_request_id: true - http_filters: - - config: - default_destination_service: istio-telemetry.istio-system.svc.cluster.local - service_configs: - istio-telemetry.istio-system.svc.cluster.local: - disable_check_calls: true - {{- if .DisableReportCalls }} - disable_report_calls: true - {{- end }} - mixer_attributes: - attributes: - destination.service.host: - string_value: istio-telemetry.istio-system.svc.cluster.local - destination.service.uid: - string_value: istio://istio-system/services/istio-telemetry - destination.service.name: - string_value: istio-telemetry - destination.service.namespace: - string_value: istio-system - destination.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - destination.namespace: - string_value: istio-system - destination.ip: - bytes_value: {{ .PodIP }} - destination.port: - int64_value: 15004 - context.reporter.kind: - string_value: inbound - context.reporter.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - transport: - check_cluster: mixer_check_server - report_cluster: inbound_9092 - name: mixer - - name: envoy.router - route_config: - name: "15004" - virtual_hosts: - - domains: - - '*' - name: istio-telemetry.istio-system.svc.cluster.local - routes: - - decorator: - operation: Report - match: - prefix: / - route: - cluster: inbound_9092 - timeout: 0.000s - stat_prefix: "15004" - name: envoy.http_connection_manager - - - name: "9091" - address: - socket_address: - address: 0.0.0.0 - port_value: 9091 - filter_chains: - - filters: - - config: - codec_type: HTTP2 - http2_protocol_options: - max_concurrent_streams: 1073741824 - generate_request_id: true - http_filters: - - config: - default_destination_service: istio-telemetry.istio-system.svc.cluster.local - service_configs: - istio-telemetry.istio-system.svc.cluster.local: - disable_check_calls: true - {{- if .DisableReportCalls }} - disable_report_calls: true - {{- end }} - mixer_attributes: - attributes: - destination.service.host: - string_value: istio-telemetry.istio-system.svc.cluster.local - destination.service.uid: - string_value: istio://istio-system/services/istio-telemetry - destination.service.name: - string_value: istio-telemetry - destination.service.namespace: - string_value: istio-system - destination.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - destination.namespace: - string_value: istio-system - destination.ip: - bytes_value: {{ .PodIP }} - destination.port: - int64_value: 9091 - context.reporter.kind: - string_value: inbound - context.reporter.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - transport: - check_cluster: mixer_check_server - report_cluster: inbound_9092 - name: mixer - - name: envoy.router - route_config: - name: "9091" - virtual_hosts: - - domains: - - '*' - name: istio-telemetry.istio-system.svc.cluster.local - routes: - - decorator: - operation: Report - match: - prefix: / - route: - cluster: inbound_9092 - timeout: 0.000s - stat_prefix: "9091" - name: envoy.http_connection_manager - - - name: "local.15019" - address: - socket_address: - address: 127.0.0.1 - port_value: 15019 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: HTTP2 - stat_prefix: "15019" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15019" - - virtual_hosts: - - name: istio-galley - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: out.galley.15019 - timeout: 0.000s ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istio-mixer - istio: mixer - release: istio - name: istio-telemetry - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: mixer - istio-mixer-type: telemetry - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: telemetry - istio: mixer - istio-mixer-type: telemetry - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - --monitoringPort=15014 - - --address - - tcp://0.0.0.0:9091 - - --log_output_level=default:info - - --configStoreURL=mcp://istio-galley.istio-system.svc:9901 - - --configDefaultNamespace=istio-system - - --useAdapterCRDs=false - - --useTemplateCRDs=false - - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: GOMAXPROCS - value: "6" - image: docker.io/istio/mixer:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /version - port: 15014 - initialDelaySeconds: 5 - periodSeconds: 5 - name: mixer - ports: - - containerPort: 9091 - - containerPort: 15014 - - containerPort: 42422 - resources: - limits: - cpu: 4800m - memory: 4G - requests: - cpu: 50m - memory: 100Mi - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /sock - name: uds-socket - - mountPath: /var/run/secrets/istio.io/telemetry/adapter - name: telemetry-adapter-secret - readOnly: true - serviceAccountName: istio-mixer-service-account - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.istio-mixer-service-account - - emptyDir: {} - name: uds-socket - - name: telemetry-adapter-secret - secret: - optional: true - secretName: telemetry-adapter-secret - - configMap: - name: telemetry-envoy-config - name: telemetry-envoy-config - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-telemetry - namespace: istio-system - labels: - app: telemetry - release: istio - istio: mixer - istio-mixer-type: telemetry -spec: - minAvailable: 1 - selector: - matchLabels: - app: telemetry - istio: mixer - istio-mixer-type: telemetry ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-telemetry - namespace: istio-system - labels: - app: mixer - istio: mixer - release: istio -spec: - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-monitoring - port: 15014 - - name: prometheus - port: 42422 - selector: - istio: mixer - istio-mixer-type: telemetry ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-mixer-service-account - namespace: istio-system - labels: - app: istio-telemetry - release: istio ---- - -# Resources for Tracing component - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-tracing - namespace: istio-system - labels: - app: jaeger - release: istio -spec: - selector: - matchLabels: - app: jaeger - template: - metadata: - labels: - app: jaeger - release: istio - annotations: - sidecar.istio.io/inject: "false" - prometheus.io/scrape: "true" - prometheus.io/port: "14269" - spec: - containers: - - name: jaeger - image: "docker.io/jaegertracing/all-in-one:1.14" - imagePullPolicy: IfNotPresent - ports: - - containerPort: 9411 - - containerPort: 16686 - - containerPort: 14250 - - containerPort: 14267 - - containerPort: 14268 - - containerPort: 14269 - - containerPort: 5775 - protocol: UDP - - containerPort: 6831 - protocol: UDP - - containerPort: 6832 - protocol: UDP - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: BADGER_EPHEMERAL - value: "false" - - name: SPAN_STORAGE_TYPE - value: "badger" - - name: BADGER_DIRECTORY_VALUE - value: "/badger/data" - - name: BADGER_DIRECTORY_KEY - value: "/badger/key" - - name: COLLECTOR_ZIPKIN_HTTP_PORT - value: "9411" - - name: MEMORY_MAX_TRACES - value: "50000" - - name: QUERY_BASE_PATH - value: /jaeger - livenessProbe: - httpGet: - path: / - port: 14269 - readinessProbe: - httpGet: - path: / - port: 14269 - volumeMounts: - - name: data - mountPath: /badger - resources: - requests: - cpu: 10m - - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - volumes: - - name: data - emptyDir: {} ---- - - -apiVersion: v1 -kind: Service -metadata: - name: jaeger-query - namespace: istio-system - annotations: - labels: - app: jaeger - jaeger-infra: jaeger-service - release: istio -spec: - ports: - - name: query-http - port: 16686 - protocol: TCP - targetPort: 16686 - selector: - app: jaeger ---- - - -apiVersion: v1 -kind: Service -metadata: - name: jaeger-collector - namespace: istio-system - labels: - app: jaeger - jaeger-infra: collector-service - release: istio -spec: - ports: - - name: jaeger-collector-tchannel - port: 14267 - protocol: TCP - targetPort: 14267 - - name: jaeger-collector-http - port: 14268 - targetPort: 14268 - protocol: TCP - - name: jaeger-collector-grpc - port: 14250 - targetPort: 14250 - protocol: TCP - selector: - app: jaeger - type: ClusterIP ---- - - -apiVersion: v1 -kind: Service -metadata: - name: jaeger-agent - namespace: istio-system - labels: - app: jaeger - jaeger-infra: agent-service - release: istio -spec: - ports: - - name: agent-zipkin-thrift - port: 5775 - protocol: UDP - targetPort: 5775 - - name: agent-compact - port: 6831 - protocol: UDP - targetPort: 6831 - - name: agent-binary - port: 6832 - protocol: UDP - targetPort: 6832 - clusterIP: None - selector: - app: jaeger ---- - - -apiVersion: v1 -kind: Service -metadata: - name: zipkin - namespace: istio-system - labels: - app: jaeger - release: istio -spec: - ports: - - port: 9411 - targetPort: 9411 - protocol: TCP - name: http-query - selector: - app: jaeger ---- - - -apiVersion: v1 -kind: Service -metadata: - name: tracing - namespace: istio-system - annotations: - labels: - app: jaeger - release: istio -spec: - type: ClusterIP - ports: - - name: http-query - port: 80 - protocol: TCP - - targetPort: 16686 - - selector: - app: jaeger ---- - diff --git a/istioctl-config.yaml b/istioctl-config.yaml deleted file mode 100644 index 791468e..0000000 --- a/istioctl-config.yaml +++ /dev/null @@ -1,10245 +0,0 @@ -# Resources for Base component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -rules: -- apiGroups: - - "config.istio.io" - - "rbac.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-istio-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: attributemanifests.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: attributemanifest - plural: attributemanifests - singular: attributemanifest - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - attributes: - additionalProperties: - properties: - description: - description: A human-readable description of the attribute's purpose. - format: string - type: string - valueType: - description: The type of data carried by this attribute. - enum: - - VALUE_TYPE_UNSPECIFIED - - STRING - - INT64 - - DOUBLE - - BOOL - - TIMESTAMP - - IP_ADDRESS - - EMAIL_ADDRESS - - URI - - DNS_NAME - - DURATION - - STRING_MAP - type: string - type: object - description: The set of attributes this Istio component will be responsible - for producing at runtime. - type: object - name: - description: Name of the component producing these attributes. - format: string - type: string - revision: - description: The revision of this document. - format: string - type: string - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - heritage: Tiller - istio: rbac - release: istio - name: clusterrbacconfigs.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ClusterRbacConfig - plural: clusterrbacconfigs - singular: clusterrbacconfig - scope: Cluster - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for Role Based Access Control. See more details - at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' - properties: - enforcementMode: - enum: - - ENFORCED - - PERMISSIVE - type: string - exclusion: - description: A list of services or namespaces that should not be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - inclusion: - description: A list of services or namespaces that should be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - mode: - description: Istio RBAC mode. - enum: - - "OFF" - - "ON" - - ON_WITH_INCLUSION - - ON_WITH_EXCLUSION - type: string - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutiveErrors: - format: int32 - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a - backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP - upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on - the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutiveErrors: - format: int32 - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to - the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to - a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutiveErrors: - format: int32 - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutiveErrors: - format: int32 - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more - details at: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was - generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - format: string - type: string - subFilter: - properties: - name: - description: The filter name to match on. - format: string - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - format: string - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - format: string - type: string - transportProtocol: - description: Applies only to SIDECAR_INBOUND context. - format: string - type: string - type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - format: string - type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: - properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - format: string - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - filters: - items: - properties: - filterConfig: - type: object - filterName: - description: The name of the filter to instantiate. - format: string - type: string - filterType: - description: The type of filter to instantiate. - enum: - - INVALID - - HTTP - - NETWORK - type: string - insertPosition: - description: Insert position in the filter chain. - properties: - index: - description: Position of this filter in the filter chain. - enum: - - FIRST - - LAST - - BEFORE - - AFTER - type: string - relativeTo: - format: string - type: string - type: object - listenerMatch: - properties: - address: - description: One or more IP addresses to which the listener - is bound. - items: - format: string - type: string - type: array - listenerProtocol: - description: Selects a class of listeners for the same protocol. - enum: - - ALL - - HTTP - - TCP - type: string - listenerType: - description: Inbound vs outbound sidecar listener or gateway - listener. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - portNamePrefix: - format: string - type: string - portNumber: - type: integer - type: object - type: object - type: array - workloadLabels: - additionalProperties: - format: string - type: string - description: Deprecated. - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpecBinding - plural: httpapispecbindings - singular: httpapispecbinding - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - api_specs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - apiSpecs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed HTTPAPISpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpec - plural: httpapispecs - singular: httpapispec - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - api_keys: - items: - oneOf: - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - apiKeys: - items: - oneOf: - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - patterns: - description: List of HTTP patterns to match. - items: - oneOf: - - required: - - uriTemplate - - required: - - regex - properties: - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - httpMethod: - format: string - type: string - regex: - format: string - type: string - uriTemplate: - format: string - type: string - type: object - type: array - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-citadel - chart: istio - heritage: Tiller - release: istio - name: meshpolicies.authentication.istio.io -spec: - group: authentication.istio.io - names: - categories: - - istio-io - - authentication-istio-io - kind: MeshPolicy - listKind: MeshPolicyList - plural: meshpolicies - singular: meshpolicy - scope: Cluster - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Authentication policy for Istio services. See more details - at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' - properties: - originIsOptional: - type: boolean - origins: - description: List of authentication methods that can be used for origin - authentication. - items: - properties: - jwt: - description: Jwt params for the method. - properties: - audiences: - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - jwt_headers: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtHeaders: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtParams: - description: JWT is sent in a query parameter. - items: - format: string - type: string - type: array - trigger_rules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - triggerRules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - type: object - type: object - type: array - peerIsOptional: - type: boolean - peers: - description: List of authentication methods that can be used for peer - authentication. - items: - oneOf: - - required: - - mtls - - required: - - jwt - properties: - jwt: - properties: - audiences: - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - jwt_headers: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtHeaders: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtParams: - description: JWT is sent in a query parameter. - items: - format: string - type: string - type: array - trigger_rules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - triggerRules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - type: object - mtls: - description: Set if mTLS is used. - properties: - allowTls: - description: WILL BE DEPRECATED, if set, will translates to - `TLS_PERMISSIVE` mode. - type: boolean - mode: - description: Defines the mode of mTLS authentication. - enum: - - STRICT - - PERMISSIVE - type: string - type: object - type: object - type: array - principalBinding: - description: Define whether peer or origin identity should be use for - principal. - enum: - - USE_PEER - - USE_ORIGIN - type: string - targets: - description: List rules to select workloads that the policy should be - applied on. - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: The name must be a short name from the service registry. - format: string - type: string - ports: - description: Specifies the ports. - items: - oneOf: - - required: - - number - - required: - - name - properties: - name: - format: string - type: string - number: - type: integer - type: object - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-citadel - chart: istio - heritage: Tiller - release: istio - name: policies.authentication.istio.io -spec: - group: authentication.istio.io - names: - categories: - - istio-io - - authentication-istio-io - kind: Policy - plural: policies - singular: policy - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Authentication policy for Istio services. See more details - at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' - properties: - originIsOptional: - type: boolean - origins: - description: List of authentication methods that can be used for origin - authentication. - items: - properties: - jwt: - description: Jwt params for the method. - properties: - audiences: - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - jwt_headers: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtHeaders: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtParams: - description: JWT is sent in a query parameter. - items: - format: string - type: string - type: array - trigger_rules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - triggerRules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - type: object - type: object - type: array - peerIsOptional: - type: boolean - peers: - description: List of authentication methods that can be used for peer - authentication. - items: - oneOf: - - required: - - mtls - - required: - - jwt - properties: - jwt: - properties: - audiences: - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - jwt_headers: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtHeaders: - description: JWT is sent in a request header. - items: - format: string - type: string - type: array - jwtParams: - description: JWT is sent in a query parameter. - items: - format: string - type: string - type: array - trigger_rules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - triggerRules: - items: - properties: - excluded_paths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - excludedPaths: - description: List of paths to be excluded from the request. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - included_paths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - includedPaths: - description: List of paths that the request must include. - items: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - suffix - - required: - - regex - properties: - exact: - description: exact string match. - format: string - type: string - prefix: - description: prefix-based match. - format: string - type: string - regex: - description: ECMAscript style regex-based match - as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). - format: string - type: string - suffix: - description: suffix-based match. - format: string - type: string - type: object - type: array - type: object - type: array - type: object - mtls: - description: Set if mTLS is used. - properties: - allowTls: - description: WILL BE DEPRECATED, if set, will translates to - `TLS_PERMISSIVE` mode. - type: boolean - mode: - description: Defines the mode of mTLS authentication. - enum: - - STRICT - - PERMISSIVE - type: string - type: object - type: object - type: array - principalBinding: - description: Define whether peer or origin identity should be use for - principal. - enum: - - USE_PEER - - USE_ORIGIN - type: string - targets: - description: List rules to select workloads that the policy should be - applied on. - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: The name must be a short name from the service registry. - format: string - type: string - ports: - description: Specifies the ports. - items: - oneOf: - - required: - - number - - required: - - name - properties: - name: - format: string - type: string - number: - type: integer - type: object - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpecBinding - plural: quotaspecbindings - singular: quotaspecbinding - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - quotaSpecs: - items: - properties: - name: - description: The short name of the QuotaSpec. - format: string - type: string - namespace: - description: Optional namespace of the QuotaSpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed QuotaSpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpec - plural: quotaspecs - singular: quotaspec - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: Determines the quotas used for individual requests. - properties: - rules: - description: A list of Quota rules. - items: - properties: - match: - description: If empty, match all request. - items: - properties: - clause: - additionalProperties: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - description: Map of attribute names to StringMatch type. - type: object - type: object - type: array - quotas: - description: The list of quotas to charge. - items: - properties: - charge: - format: int32 - type: integer - quota: - format: string - type: string - type: object - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: rbacconfigs.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: RbacConfig - plural: rbacconfigs - singular: rbacconfig - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for Role Based Access Control. See more details - at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' - properties: - enforcementMode: - enum: - - ENFORCED - - PERMISSIVE - type: string - exclusion: - description: A list of services or namespaces that should not be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - inclusion: - description: A list of services or namespaces that should be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - mode: - description: Istio RBAC mode. - enum: - - "OFF" - - "ON" - - ON_WITH_INCLUSION - - ON_WITH_EXCLUSION - type: string - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: rules.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: rule - plural: rules - singular: rule - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - actions: - description: The actions that will be executed when match evaluates - to `true`. - items: - properties: - handler: - description: Fully qualified name of the handler to invoke. - format: string - type: string - instances: - items: - format: string - type: string - type: array - name: - description: A handle to refer to the results of the action. - format: string - type: string - type: object - type: array - match: - description: Match is an attribute based predicate. - format: string - type: string - requestHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - responseHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - sampling: - properties: - random: - description: Provides filtering of actions based on random selection - per request. - properties: - attributeExpression: - description: Specifies an attribute expression to use to override - the numerator in the `percent_sampled` field. - format: string - type: string - percentSampled: - description: The default sampling rate, expressed as a percentage. - properties: - denominator: - description: Specifies the denominator. - enum: - - HUNDRED - - TEN_THOUSAND - type: string - numerator: - description: Specifies the numerator. - type: integer - type: object - useIndependentRandomness: - description: By default sampling will be based on the value - of the request header `x-request-id`. - type: boolean - type: object - rateLimit: - properties: - maxUnsampledEntries: - description: Number of entries to allow during the `sampling_duration` - before sampling is enforced. - format: int64 - type: integer - samplingDuration: - description: Window in which to enforce the sampling rate. - type: string - samplingRate: - description: The rate at which to sample entries once the unsampled - limit has been reached. - format: int64 - type: integer - type: object - type: object - type: object - type: object - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL - or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: servicerolebindings.rbac.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.roleRef.name - description: The name of the ServiceRole object being referenced - name: Reference - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ServiceRoleBinding - plural: servicerolebindings - singular: servicerolebinding - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for Role Based Access Control. See more details - at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' - properties: - actions: - items: - properties: - constraints: - description: Optional. - items: - properties: - key: - description: Key of the constraint. - format: string - type: string - values: - description: List of valid values for the constraint. - items: - format: string - type: string - type: array - type: object - type: array - hosts: - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - items: - format: string - type: string - type: array - notMethods: - items: - format: string - type: string - type: array - notPaths: - items: - format: string - type: string - type: array - notPorts: - items: - format: int32 - type: integer - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - items: - format: int32 - type: integer - type: array - services: - description: A list of service names. - items: - format: string - type: string - type: array - type: object - type: array - mode: - enum: - - ENFORCED - - PERMISSIVE - type: string - role: - format: string - type: string - roleRef: - description: Reference to the ServiceRole object. - properties: - kind: - description: The type of the role being referenced. - format: string - type: string - name: - description: The name of the ServiceRole object being referenced. - format: string - type: string - type: object - subjects: - description: List of subjects that are assigned the ServiceRole object. - items: - properties: - group: - format: string - type: string - groups: - items: - format: string - type: string - type: array - ips: - items: - format: string - type: string - type: array - names: - items: - format: string - type: string - type: array - namespaces: - items: - format: string - type: string - type: array - notGroups: - items: - format: string - type: string - type: array - notIps: - items: - format: string - type: string - type: array - notNames: - items: - format: string - type: string - type: array - notNamespaces: - items: - format: string - type: string - type: array - properties: - additionalProperties: - format: string - type: string - description: Optional. - type: object - user: - description: Optional. - format: string - type: string - type: object - type: array - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: serviceroles.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ServiceRole - plural: serviceroles - singular: servicerole - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for Role Based Access Control. See more details - at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' - properties: - rules: - description: The set of access rules (permissions) that the role has. - items: - properties: - constraints: - description: Optional. - items: - properties: - key: - description: Key of the constraint. - format: string - type: string - values: - description: List of valid values for the constraint. - items: - format: string - type: string - type: array - type: object - type: array - hosts: - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - items: - format: string - type: string - type: array - notMethods: - items: - format: string - type: string - type: array - notPaths: - items: - format: string - type: string - type: array - notPorts: - items: - format: int32 - type: integer - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - items: - format: int32 - type: integer - type: array - services: - description: A list of service names. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: |- - CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these - routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - appendHeaders: - additionalProperties: - format: string - type: string - type: object - appendRequestHeaders: - additionalProperties: - format: string - type: string - type: object - appendResponseHeaders: - additionalProperties: - format: string - type: string - type: object - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at - the client side. - properties: - abort: - oneOf: - - properties: - percent: {} - required: - - httpStatus - - properties: - percent: {} - required: - - grpcStatus - - properties: - percent: {} - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percent: - description: Percentage of requests to be aborted with - the error code provided (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - properties: - percent: {} - required: - - fixedDelay - - properties: - percent: {} - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - gateways: - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should - be case-insensitive. - type: boolean - method: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - uri: - oneOf: - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - format: string - type: string - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A http rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - removeRequestHeaders: - items: - format: string - type: string - type: array - removeResponseHeaders: - items: - format: string - type: string - type: array - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per retry attempt for a given request. - type: string - retryOn: - description: Specifies the conditions under which retry takes - place. - format: string - type: string - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A http rule can either redirect or forward (default) - traffic. - items: - properties: - appendRequestHeaders: - additionalProperties: - format: string - type: string - description: Use of `append_request_headers` is deprecated. - type: object - appendResponseHeaders: - additionalProperties: - format: string - type: string - description: Use of `append_response_headers` is deprecated. - type: object - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - removeRequestHeaders: - description: Use of `remove_request_headers` is deprecated. - items: - format: string - type: string - type: array - removeResponseHeaders: - description: Use of `remove_response_header` is deprecated. - items: - format: string - type: string - type: array - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests. - type: string - websocketUpgrade: - description: Deprecated. - type: boolean - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied to. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied to. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: adapters.config.istio.io - labels: - app: mixer - package: adapter - istio: mixer-adapter - chart: istio - heritage: Tiller - release: istio -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: instances.config.istio.io - labels: - app: mixer - package: instance - istio: mixer-instance - chart: istio - heritage: Tiller - release: istio -spec: - group: config.istio.io - names: - kind: instance - plural: instances - singular: instance - categories: - - istio-io - - policy-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: templates.config.istio.io - labels: - app: mixer - package: template - istio: mixer-template - chart: istio - heritage: Tiller - release: istio -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1beta1 -metadata: - name: handlers.config.istio.io - labels: - app: mixer - package: handler - istio: mixer-handler - chart: istio - heritage: Tiller - release: istio -spec: - group: config.istio.io - names: - kind: handler - plural: handlers - singular: handler - categories: - - istio-io - - policy-istio-io - scope: Namespaced - subresources: - status: {} - versions: - - name: v1alpha2 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - plural: sidecars - singular: sidecar - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The ip to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - type: object - type: object - type: array - outboundTrafficPolicy: - description: This allows to configure the outbound traffic policy. - properties: - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - type: object - versions: - - name: v1alpha3 - served: true - storage: true ---- - - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details - at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html' - properties: - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - values: - description: The allowed values for the attribute. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - type: object - versions: - - name: v1beta1 - served: true - storage: true ---- - - -apiVersion: v1 -kind: Namespace -metadata: - name: istio-system - labels: - istio-operator-managed: Reconcile - istio-injection: disabled ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-reader-service-account - namespace: istio-system - labels: - app: istio-reader - release: istio ---- - -# CertManager component is disabled. - -# Resources for Citadel component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-citadel-istio-system - labels: - app: citadel - release: istio -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "update"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "get", "watch", "list", "update", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts", "services", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-citadel-istio-system - labels: - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-citadel-istio-system -subjects: - - kind: ServiceAccount - name: istio-citadel-service-account - namespace: istio-system ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: security - istio: citadel - release: istio - name: istio-citadel - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: citadel - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: citadel - istio: citadel - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - --append-dns-names=true - - --grpc-port=8060 - - --citadel-storage-namespace=istio-system - - --custom-dns-names=istio-galley-service-account.istio-config:istio-galley.istio-config.svc,istio-galley-service-account.istio-control:istio-galley.istio-control.svc,istio-galley-service-account.istio-control-master:istio-galley.istio-control-master.svc,istio-galley-service-account.istio-master:istio-galley.istio-master.svc,istio-galley-service-account.istio-pilot11:istio-galley.istio-pilot11.svc,istio-pilot-service-account.istio-control:istio-pilot.istio-control,istio-pilot-service-account.istio-pilot11:istio-pilot.istio-system,istio-sidecar-injector-service-account.istio-control:istio-sidecar-injector.istio-control.svc,istio-sidecar-injector-service-account.istio-control-master:istio-sidecar-injector.istio-control-master.svc,istio-sidecar-injector-service-account.istio-master:istio-sidecar-injector.istio-master.svc,istio-sidecar-injector-service-account.istio-pilot11:istio-sidecar-injector.istio-pilot11.svc,istio-sidecar-injector-service-account.istio-remote:istio-sidecar-injector.istio-remote.svc, - - --self-signed-ca=true - - --trust-domain=cluster.local - - --workload-cert-ttl=2160h - env: - - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT - value: "true" - image: docker.io/istio/citadel:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /version - port: 15014 - initialDelaySeconds: 5 - periodSeconds: 5 - name: citadel - resources: - requests: - cpu: 10m - serviceAccountName: istio-citadel-service-account - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-citadel - namespace: istio-system - labels: - app: security - istio: citadel - release: istio -spec: - minAvailable: 1 - selector: - matchLabels: - app: citadel - istio: citadel ---- - - -apiVersion: v1 -kind: Service -metadata: - # Must match the certificate, this is used in the node agent in same namespace. - name: istio-citadel - namespace: istio-system - labels: - app: security - istio: citadel - release: istio - -spec: - ports: - - name: grpc-citadel - port: 8060 - targetPort: 8060 - protocol: TCP - - name: http-monitoring - port: 15014 - selector: - app: citadel ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-citadel-service-account - namespace: istio-system - labels: - app: security - release: istio ---- - -# Cni component is disabled. - -# CoreDNS component is disabled. - -# EgressGateway component is disabled. - -# Resources for Galley component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-galley-istio-system - labels: - release: istio -rules: - # For reading Istio resources - - apiGroups: [ - "authentication.istio.io", - "config.istio.io", - "networking.istio.io", - "rbac.istio.io", - "security.istio.io"] - resources: ["*"] - verbs: ["get", "list", "watch"] - # For updating Istio resource statuses - - apiGroups: [ - "authentication.istio.io", - "config.istio.io", - "networking.istio.io", - "rbac.istio.io", - "security.istio.io"] - resources: ["*/status"] - verbs: ["update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["*"] - - apiGroups: ["extensions","apps"] - resources: ["deployments"] - resourceNames: ["istio-galley"] - verbs: ["get"] - - apiGroups: [""] - resources: ["pods", "nodes", "services", "endpoints", "namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["namespaces/finalizers"] - verbs: ["update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["get", "list", "watch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-galley-admin-role-binding-istio-system - labels: - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-galley-istio-system -subjects: - - kind: ServiceAccount - name: istio-galley-service-account - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: istio-system - name: galley-envoy-config - labels: - app: galley - istio: galley - release: istio -data: - envoy.yaml.tmpl: |- - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 15000 - - static_resources: - - clusters: - - name: in.9901 - http2_protocol_options: {} - connect_timeout: 1.000s - - hosts: - - socket_address: - address: 127.0.0.1 - port_value: 9901 - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - - listeners: - - name: "15019" - address: - socket_address: - address: 0.0.0.0 - port_value: 15019 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: HTTP2 - stat_prefix: "15010" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15019" - - virtual_hosts: - - name: istio-galley - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: in.9901 - timeout: 0.000s - tls_context: - common_tls_context: - alpn_protocols: - - h2 - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - require_client_certificate: true ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-mesh-galley - namespace: istio-system - labels: - release: istio -data: - mesh: |- - {} ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-galley-configuration - namespace: istio-system - labels: - release: istio -data: - validatingwebhookconfiguration.yaml: |- - apiVersion: admissionregistration.k8s.io/v1beta1 - kind: ValidatingWebhookConfiguration - metadata: - name: istio-galley-istio-system - namespace: istio-system - labels: - app: galley - release: istio - istio: galley - webhooks: - - name: pilot.validation.istio.io - clientConfig: - service: - name: istio-galley - namespace: istio-system - path: "/admitpilot" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - apiVersions: - - v1alpha2 - resources: - - httpapispecs - - httpapispecbindings - - quotaspecs - - quotaspecbindings - - operations: - - CREATE - - UPDATE - apiGroups: - - rbac.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - authentication.istio.io - apiVersions: - - "*" - resources: - - "*" - - operations: - - CREATE - - UPDATE - apiGroups: - - networking.istio.io - apiVersions: - - "*" - resources: - - destinationrules - - envoyfilters - - gateways - - serviceentries - - sidecars - - virtualservices - failurePolicy: Fail - sideEffects: None - - name: mixer.validation.istio.io - clientConfig: - service: - name: istio-galley - namespace: istio-system - path: "/admitmixer" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - apiVersions: - - v1alpha2 - resources: - - rules - - attributemanifests - - circonuses - - deniers - - fluentds - - kubernetesenvs - - listcheckers - - memquotas - - noops - - opas - - prometheuses - - rbacs - - solarwindses - - stackdrivers - - cloudwatches - - dogstatsds - - statsds - - stdios - - apikeys - - authorizations - - checknothings - # - kuberneteses - - listentries - - logentries - - metrics - - quotas - - reportnothings - - tracespans - - adapters - - handlers - - instances - - templates - - zipkins - failurePolicy: Fail - sideEffects: None ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: galley - istio: galley - release: istio - name: istio-galley - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: galley - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: galley - chart: galley - heritage: Tiller - istio: galley - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - command: - - /usr/local/bin/galley - - server - - --meshConfigFile=/etc/mesh-config/mesh - - --livenessProbeInterval=1s - - --livenessProbePath=/tmp/healthliveness - - --readinessProbePath=/tmp/healthready - - --readinessProbeInterval=1s - - --insecure=true - - --enable-validation=true - - --enable-reconcileWebhookConfiguration=true - - --enable-server=true - - --deployment-namespace=istio-system - - --validation-webhook-config-file - - /etc/config/validatingwebhookconfiguration.yaml - - --monitoringPort=15014 - - --validation-port=9443 - - --log_output_level=default:info - image: docker.io/istio/galley:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /usr/local/bin/galley - - probe - - --probe-path=/tmp/healthliveness - - --interval=10s - initialDelaySeconds: 5 - periodSeconds: 5 - name: galley - ports: - - containerPort: 9443 - - containerPort: 15014 - - containerPort: 15019 - - containerPort: 9901 - readinessProbe: - exec: - command: - - /usr/local/bin/galley - - probe - - --probe-path=/tmp/healthready - - --interval=10s - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - requests: - cpu: 100m - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /etc/config - name: config - readOnly: true - - mountPath: /etc/mesh-config - name: mesh-config - readOnly: true - - args: - - proxy - - --serviceCluster - - istio-galley - - --templateFile - - /var/lib/istio/galley/envoy/envoy.yaml.tmpl - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SDS_ENABLED - value: "false" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 9902 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /var/lib/istio/galley/envoy - name: envoy-config - - mountPath: /etc/certs - name: istio-certs - readOnly: true - serviceAccountName: istio-galley-service-account - volumes: - - name: istio-certs - secret: - secretName: istio.istio-galley-service-account - - configMap: - name: galley-envoy-config - name: envoy-config - - configMap: - name: istio-galley-configuration - name: config - - configMap: - name: istio-mesh-galley - name: mesh-config - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-galley - namespace: istio-system - labels: - app: galley - release: istio - istio: galley -spec: - minAvailable: 1 - selector: - matchLabels: - app: galley - release: istio - istio: galley ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-galley - namespace: istio-system - labels: - app: galley - istio: galley - release: istio -spec: - ports: - - port: 443 - name: https-validation - targetPort: 9443 - - port: 15014 - name: http-monitoring - - port: 9901 - name: grpc-mcp - - port: 15019 - name: grpc-tls-mcp - selector: - istio: galley ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-galley-service-account - namespace: istio-system - labels: - app: galley - release: istio ---- - -# Grafana component is disabled. - -# Resources for IngressGateway component - -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istio-ingressgateway - istio: ingressgateway - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: istio-ingressgateway - chart: gateways - heritage: Tiller - istio: ingressgateway - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --drainDuration - - 45s - - --parentShutdownDuration - - 1m0s - - --connectTimeout - - 10s - - --serviceCluster - - istio-ingressgateway - - --zipkinAddress - - zipkin.istio-system:9411 - - --proxyAdminPort - - "15000" - - --statusPort - - "15020" - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --discoveryAddress - - istio-pilot.istio-system:15011 - - --trust-domain=cluster.local - env: - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_META_ROUTER_MODE - value: sni-dnat - - name: ISTIO_METAJSON_LABELS - value: | - {"app":"istio-ingressgateway","istio":"ingressgateway"} - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: SDS_ENABLED - value: "false" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15020 - - containerPort: 80 - - containerPort: 443 - - containerPort: 15029 - - containerPort: 15030 - - containerPort: 15031 - - containerPort: 15032 - - containerPort: 15443 - - containerPort: 15011 - - containerPort: 8060 - - containerPort: 853 - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15020 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true - serviceAccountName: istio-ingressgateway-service-account - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.istio-ingressgateway-service-account - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs - ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: ingressgateway - namespace: istio-system - labels: - release: istio -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" - # Additional ports in gateaway for the ingressPorts - apps using dedicated port instead of hostname ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: ingressgateway - namespace: istio-system - labels: - app: istio-ingressgateway - release: istio - istio: ingressgateway -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - release: istio - istio: ingressgateway ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-ingressgateway - namespace: istio-system - annotations: - labels: - app: istio-ingressgateway - release: istio - istio: ingressgateway -spec: - type: LoadBalancer - selector: - app: istio-ingressgateway - ports: - - - name: status-port - port: 15020 - targetPort: 15020 - - - name: http2 - port: 80 - targetPort: 80 - - - name: https - port: 443 - - - name: kiali - port: 15029 - targetPort: 15029 - - - name: prometheus - port: 15030 - targetPort: 15030 - - - name: grafana - port: 15031 - targetPort: 15031 - - - name: tracing - port: 15032 - targetPort: 15032 - - - name: tls - port: 15443 - targetPort: 15443 ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-ingressgateway-service-account - namespace: istio-system - labels: - app: istio-ingressgateway - release: istio ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: Sidecar -metadata: - name: default - namespace: istio-system - labels: - release: istio -spec: - egress: - - hosts: - - "*/*" ---- - -# Resources for Injector component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-sidecar-injector-istio-system - labels: - app: sidecar-injector - release: istio - istio: sidecar-injector -rules: -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["istio-sidecar-injector"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - resourceNames: ["istio-sidecar-injector", "istio-sidecar-injector-istio-system"] - verbs: ["get", "list", "watch", "patch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-sidecar-injector-admin-role-binding-istio-system - labels: - app: sidecar-injector - release: istio - istio: sidecar-injector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-sidecar-injector-istio-system -subjects: - - kind: ServiceAccount - name: istio-sidecar-injector-service-account - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: injector-mesh - namespace: istio-system - labels: - release: istio -data: - # This is the 'mesh' config, loaded by the sidecar injector. - # It is a different configmap from pilot to allow a-la-carte install of the injector and follow the model - # of reducing blast-radius of config changes and avoiding globals. - - # Note that injector uses a subset of the mesh config only - for clarity this is only generating the - # required config, i.e. the defaultConfig section. See injection-template .ProxyConfig settings. - - - mesh: |- - # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get - # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. - sdsUdsPath: "" - - defaultConfig: - # - # TCP connection timeout between Envoy & the application, and between Envoys. - connectTimeout: 10s - # - ### ADVANCED SETTINGS ############# - # Where should envoy's configuration be stored in the istio-proxy container - configPath: "/etc/istio/proxy" - # The pseudo service name used for Envoy. - serviceCluster: istio-proxy - # These settings that determine how long an old Envoy - # process should be kept alive after an occasional reload. - drainDuration: 45s - parentShutdownDuration: 1m0s - # - # Port where Envoy listens (on local host) for admin commands - # You can exec into the istio-proxy container in a pod and - # curl the admin port (curl http://localhost:15000/) to obtain - # diagnostic information from Envoy. See - # https://lyft.github.io/envoy/docs/operations/admin.html - # for more details - proxyAdminPort: 15000 - # - # Set concurrency to a specific number to control the number of Proxy worker threads. - # If set to 0 (default), then start worker thread for each CPU thread/core. - concurrency: 2 - # - tracing: - zipkin: - # Address of the Zipkin collector - address: zipkin.istio-system:9411 - # - # Mutual TLS authentication between sidecars and istio control plane. - controlPlaneAuthPolicy: MUTUAL_TLS - # - # Address where istio Pilot service is running - discoveryAddress: istio-pilot.istio-system:15011 ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: sidecarInjectorWebhook - istio: sidecar-injector - release: istio - name: istio-sidecar-injector - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: sidecar-injector - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: sidecarInjectorWebhook - chart: sidecarInjectorWebhook - heritage: Tiller - istio: sidecar-injector - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - --caCertFile=/etc/istio/certs/root-cert.pem - - --tlsCertFile=/etc/istio/certs/cert-chain.pem - - --tlsKeyFile=/etc/istio/certs/key.pem - - --injectConfig=/etc/istio/inject/config - - --meshConfig=/etc/istio/config/mesh - - --port=9443 - - --healthCheckInterval=2s - - --healthCheckFile=/tmp/health - - --reconcileWebhookConfig=true - - --webhookConfigName=istio-sidecar-injector - - --log_output_level=debug - image: docker.io/istio/sidecar_injector:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /usr/local/bin/sidecar-injector - - probe - - --probe-path=/tmp/health - - --interval=4s - initialDelaySeconds: 4 - periodSeconds: 4 - name: sidecar-injector-webhook - readinessProbe: - exec: - command: - - /usr/local/bin/sidecar-injector - - probe - - --probe-path=/tmp/health - - --interval=4s - initialDelaySeconds: 4 - periodSeconds: 4 - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - readOnly: true - - mountPath: /etc/istio/certs - name: certs - readOnly: true - - mountPath: /etc/istio/inject - name: inject-config - readOnly: true - serviceAccountName: istio-sidecar-injector-service-account - volumes: - - configMap: - name: injector-mesh - name: config-volume - - name: certs - secret: - secretName: istio.istio-sidecar-injector-service-account - - configMap: - items: - - key: config - path: config - - key: values - path: values - name: istio-sidecar-injector - name: inject-config - ---- - - -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-sidecar-injector - - labels: - app: sidecar-injector - release: istio -webhooks: - - name: sidecar-injector.istio.io - clientConfig: - service: - name: istio-sidecar-injector - namespace: istio-system - path: "/inject" - caBundle: "" - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - namespaceSelector: - matchLabels: - istio-injection: enabled ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - app: sidecar-injector - release: istio - istio: sidecar-injector -spec: - minAvailable: 1 - selector: - matchLabels: - app: sidecar-injector - release: istio - istio: sidecar-injector ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - app: sidecarInjectorWebhook - release: istio - istio: sidecar-injector -spec: - ports: - - port: 443 - targetPort: 9443 - selector: - istio: sidecar-injector ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-sidecar-injector-service-account - namespace: istio-system - labels: - app: sidecarInjectorWebhook - release: istio - istio: sidecar-injector ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - release: istio - app: sidecar-injector - istio: sidecar-injector -data: - values: |- - {"certmanager":{"enabled":false,"hub":"quay.io/jetstack","image":"cert-manager-controller","namespace":"istio-system","tag":"v0.6.2"},"clusterResources":true,"cni":{"namespace":"istio-system"},"galley":{"enableAnalysis":false,"enabled":true,"image":"galley","namespace":"istio-system"},"gateways":{"istio-egressgateway":{"autoscaleEnabled":true,"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"namespace":"istio-system","ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"type":"ClusterIP","zvpn":{"enabled":true,"suffix":"global"}},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"debug":"info","domain":"","enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"namespace":"istio-system","ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"type":"LoadBalancer","zvpn":{"enabled":true,"suffix":"global"}}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configNamespace":"istio-system","configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"enabled":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"istioNamespace":"istio-system","k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logAsJson":false,"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshNetworks":{},"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"namespace":"istio-system","network":"","omitSidecarInjectorConfigMap":false,"oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"policyNamespace":"istio-system","priorityClassName":"","prometheusNamespace":"istio-system","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"misc:error","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"envoyAccessLogService":{"enabled":false},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","kubevirtInterfaces":"","logLevel":"warning","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2","resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"securityNamespace":"istio-system","tag":"1.4.5","telemetryNamespace":"istio-system","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"cluster.local","useMCP":true},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1}},"enabled":false,"env":{},"envSecrets":{},"image":{"repository":"grafana/grafana","tag":"6.4.3"},"ingress":{"enabled":false,"hosts":["grafana.local"]},"namespace":"istio-system","nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"namespace":"istio-system"},"kiali":{"contextPath":"/kiali","createDemoSecret":false,"dashboard":{"passphraseKey":"passphrase","secretName":"kiali","usernameKey":"username","viewOnlyMode":false},"enabled":false,"hub":"quay.io/kiali","ingress":{"enabled":false,"hosts":["kiali.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.9"},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stackdriver":{"auth":{"apiKey":"","appCredentials":false,"serviceAccountPath":""},"enabled":false,"tracer":{"enabled":false,"sampleProbability":1}},"stdio":{"enabled":false,"outputAsJson":false},"useAdapterCRDs":false},"policy":{"adapters":{"kubernetesenv":{"enabled":true},"useAdapterCRDs":false},"autoscaleEnabled":true,"enabled":true,"image":"mixer","namespace":"istio-system","sessionAffinityEnabled":false},"telemetry":{"autoscaleEnabled":true,"enabled":true,"env":{"GOMAXPROCS":"6"},"image":"mixer","loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","sessionAffinityEnabled":false,"tolerations":[],"useMCP":true}},"nodeagent":{"enabled":false,"image":"node-agent-k8s","namespace":"istio-system"},"pilot":{"appNamespaces":[],"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configMap":true,"configNamespace":"istio-config","cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{},"image":"pilot","ingress":{"ingressClass":"istio","ingressControllerMode":"OFF","ingressService":"istio-ingressgateway"},"keepaliveMaxServerConnectionAge":"30m","meshNetworks":{"networks":{}},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"enabled":false},"replicaCount":1,"tolerations":[],"traceSampling":1,"useMCP":true},"prometheus":{"contextPath":"/prometheus","enabled":true,"hub":"docker.io/prom","ingress":{"enabled":false,"hosts":["prometheus.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"tag":"v2.12.0","tolerations":[]},"security":{"dnsCerts":{"istio-pilot-service-account.istio-control":"istio-pilot.istio-control"},"enableNamespacesByDefault":true,"enabled":true,"image":"citadel","namespace":"istio-system","selfSigned":true,"trustDomain":"cluster.local"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"image":"sidecar_injector","injectLabel":"istio-injection","injectedAnnotations":{},"lifecycle":{},"namespace":"istio-system","neverInjectSelector":[],"nodeSelector":{},"objectSelector":{"autoInject":true,"enabled":false},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":false,"tolerations":[]},"telemetry":{"enabled":true,"v1":{"enabled":true},"v2":{"enabled":false,"prometheus":{"enabled":true},"stackdriver":{"configOverride":{},"enabled":false,"logging":false,"monitoring":false,"topology":false}}},"tracing":{"enabled":false,"ingress":{"enabled":false},"jaeger":{"accessMode":"ReadWriteMany","enabled":false,"hub":"docker.io/jaegertracing","memory":{"max_traces":50000},"namespace":"istio-system","persist":false,"spanStorageType":"badger","storageClassName":"","tag":"1.14"},"nodeSelector":{},"opencensus":{"exporters":{"stackdriver":{"enable_tracing":true}},"hub":"docker.io/omnition","resources":{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"200m","memory":"400Mi"}},"tag":"0.1.9"},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":9411,"name":"http-query","type":"ClusterIP"},"zipkin":{"hub":"docker.io/openzipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}},"version":""} - - config: |- - policy: enabled - alwaysInjectSelector: - [] - neverInjectSelector: - [] - template: | - {{- $cniDisabled := (not .Values.istio_cni.enabled) }} - {{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }} - {{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }} - rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} - {{- if $enableInitContainer }} - initContainers: - {{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if $cniRepairEnabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - command: - {{- if $cniRepairEnabled }} - - istio-iptables-go - {{- else }} - - istio-iptables - {{- end }} - - "-p" - - "15001" - - "-z" - - "15006" - - "-u" - - 1337 - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - - "-d" - - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if $cniRepairEnabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{- if .Values.global.proxy_init.resources }} - resources: - {{ toYaml .Values.global.proxy_init.resources | indent 4 }} - {{- else }} - resources: {} - {{- end }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not $cniRepairEnabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - readOnlyRootFilesystem: false - {{- if not $cniRepairEnabled }} - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - restartPolicy: Always - {{ end -}} - {{- if eq .Values.global.proxy.enableCoreDump true }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - resources: {} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --configPath - - "/etc/istio/proxy" - - --binaryPath - - "/usr/local/bin/envoy" - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - - --drainDuration - - "{{ formatDuration .ProxyConfig.DrainDuration }}" - - --parentShutdownDuration - - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" - - --discoveryAddress - - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" - {{- if eq .Values.global.proxy.tracer "lightstep" }} - - --lightstepAddress - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" - - --lightstepAccessToken - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" - - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} - - --lightstepCacertPath - - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - - --zipkinAddress - - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" - {{- else if eq .Values.global.proxy.tracer "datadog" }} - - --datadogAgentAddress - - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" - {{- end }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} - - --connectTimeout - - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" - {{- if .Values.global.proxy.envoyStatsd.enabled }} - - --statsdUdpAddress - - "{{ .ProxyConfig.StatsdUdpAddress }}" - {{- end }} - {{- if .Values.global.proxy.envoyMetricsService.enabled }} - - --envoyMetricsServiceAddress - - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" - {{- end }} - {{- if .Values.global.proxy.envoyAccessLogService.enabled }} - - --envoyAccessLogServiceAddress - - "{{ .ProxyConfig.GetEnvoyAccessLogService.GetAddress }}" - {{- end }} - - --proxyAdminPort - - "{{ .ProxyConfig.ProxyAdminPort }}" - {{ if gt .ProxyConfig.Concurrency 0 -}} - - --concurrency - - "{{ .ProxyConfig.Concurrency }}" - {{ end -}} - {{- if .Values.global.controlPlaneSecurityEnabled }} - - --controlPlaneAuthPolicy - - MUTUAL_TLS - {{- else }} - - --controlPlaneAuthPolicy - - NONE - {{- end }} - - --dnsRefreshRate - - {{ valueOrDefault .Values.global.proxy.dnsRefreshRate "300s" }} - {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} - - --statusPort - - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" - - --applicationPorts - - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" - - {{- end }} - {{- if .Values.global.trustDomain }} - - --trust-domain={{ .Values.global.trustDomain }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - --templateFile=/etc/istio/custom-bootstrap/envoy_bootstrap.json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} - {{- end }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- if eq .Values.global.proxy.tracer "datadog" }} - {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- end }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: ISTIO_META_CONFIG_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: SDS_ENABLED - value: "{{ .Values.global.sds.enabled }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - - name: ISTIO_META_INCLUDE_INBOUND_PORTS - value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} - {{ if .ObjectMeta.Labels }} - - name: ISTIO_METAJSON_LABELS - value: | - {{ toJSON .ObjectMeta.Labels }} - {{ end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{ .DeploymentMeta.Name }} - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.sds.customTokenDirectory }} - - name: ISTIO_META_SDS_TOKEN_PATH - value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if .Values.global.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.trustDomain }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - add: - - NET_ADMIN - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} - runAsGroup: 1337 - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - resources: - {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end}} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{ else -}} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 4 }} - {{- end }} - {{ end -}} - volumeMounts: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if .Values.global.sds.enabled }} - - mountPath: /var/run/sds - name: sds-uds-path - readOnly: true - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.sds.customTokenDirectory }} - - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" - name: custom-sds-token - readOnly: true - {{- end }} - {{- else }} - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{- end }} - volumes: - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - - emptyDir: - medium: Memory - name: istio-envoy - {{- if .Values.global.sds.enabled }} - - name: sds-uds-path - hostPath: - path: /var/run/sds - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if .Values.global.sds.customTokenDirectory }} - - name: custom-sds-token - secret: - secretName: sdstokensecret - {{- end }} - {{- else }} - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 2 }} - {{ end }} - {{ end }} - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.podDNSSearchNamespaces }} - dnsConfig: - searches: - {{- range .Values.global.podDNSSearchNamespaces }} - - {{ render . }} - {{- end }} - {{- end }} - injectedAnnotations: ---- - -# Kiali component is disabled. - -# NodeAgent component is disabled. - -# Resources for Pilot component - -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: pilot - release: istio - name: istio-pilot - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-pilot - ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-pilot-istio-system - labels: - app: pilot - release: istio -rules: -- apiGroups: ["config.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["rbac.istio.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: ["security.istio.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: ["networking.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["authentication.istio.io"] - resources: ["*"] - verbs: ["*"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["*"] -- apiGroups: ["extensions"] - resources: ["ingresses", "ingresses/status"] - verbs: ["*"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] -- apiGroups: [""] - resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "get", "watch", "list", "update", "delete"] -- apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-pilot-istio-system - labels: - app: pilot - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-pilot-istio-system -subjects: - - kind: ServiceAccount - name: istio-pilot-service-account - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: istio-system - name: pilot-envoy-config - labels: - release: istio -data: - envoy.yaml.tmpl: |- - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 15000 - - static_resources: - clusters: - - name: in.15010 - http2_protocol_options: {} - connect_timeout: 1.000s - - hosts: - - socket_address: - address: 127.0.0.1 - port_value: 15010 - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - - # TODO: telemetry using EDS - # TODO: other pilots using EDS, load balancing - # TODO: galley using EDS - - - name: out.galley.15019 - http2_protocol_options: {} - connect_timeout: 1.000s - type: STRICT_DNS - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - hosts: - - socket_address: - address: istio-galley.istio-system - port_value: 15019 - tls_context: - common_tls_context: - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - verify_subject_alt_name: - - spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account - - listeners: - - name: "in.15011" - address: - socket_address: - address: 0.0.0.0 - port_value: 15011 - filter_chains: - - filters: - - name: envoy.http_connection_manager - #typed_config - #"@type": "type.googleapis.com/", - config: - codec_type: HTTP2 - stat_prefix: "15011" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15011" - - virtual_hosts: - - name: istio-pilot - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: in.15010 - timeout: 0.000s - decorator: - operation: xDS - tls_context: - common_tls_context: - alpn_protocols: - - h2 - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - require_client_certificate: true - - - # Manual 'whitebox' mode - - name: "local.15019" - address: - socket_address: - address: 127.0.0.1 - port_value: 15019 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: HTTP2 - stat_prefix: "15019" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15019" - - virtual_hosts: - - name: istio-galley - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: out.galley.15019 - timeout: 0.000s ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: istio-system - labels: - release: istio -data: - - meshNetworks: |- - # Network config - networks: {} - - values.yaml: |- - appNamespaces: [] - autoscaleEnabled: true - autoscaleMax: 5 - autoscaleMin: 1 - configMap: true - configNamespace: istio-config - cpu: - targetAverageUtilization: 80 - enableProtocolSniffingForInbound: false - enableProtocolSniffingForOutbound: true - enabled: true - env: {} - image: pilot - ingress: - ingressClass: istio - ingressControllerMode: "OFF" - ingressService: istio-ingressgateway - keepaliveMaxServerConnectionAge: 30m - meshNetworks: - networks: {} - namespace: istio-system - nodeSelector: {} - plugins: [] - podAnnotations: {} - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - policy: - enabled: false - replicaCount: 1 - resources: - requests: - cpu: 500m - memory: 2048Mi - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - tolerations: [] - traceSampling: 1 - useMCP: true - - mesh: |- - # Set enableTracing to false to disable request tracing. - enableTracing: true - - # Set accessLogFile to empty string to disable access log. - accessLogFile: "" - - accessLogFormat: "" - - accessLogEncoding: 'TEXT' - - enableEnvoyAccessLogService: false - mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 - mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004 - # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. - # Default is false which means the traffic is denied when the client is unable to connect to Mixer. - policyCheckFailOpen: false - # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server - reportBatchMaxEntries: 100 - # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server - reportBatchMaxTime: 1s - disableMixerHttpReports: false - - disablePolicyChecks: true - - # Automatic protocol detection uses a set of heuristics to - # determine whether the connection is using TLS or not (on the - # server side), as well as the application protocol being used - # (e.g., http vs tcp). These heuristics rely on the client sending - # the first bits of data. For server first protocols like MySQL, - # MongoDB, etc., Envoy will timeout on the protocol detection after - # the specified period, defaulting to non mTLS plain TCP - # traffic. Set this field to tweak the period that Envoy will wait - # for the client to send the first bits of data. (MUST BE >=1ms) - protocolDetectionTimeout: 100ms - - # This is the k8s ingress service name, update if you used a different name - ingressService: "istio-ingressgateway" - ingressControllerMode: "OFF" - ingressClass: "istio" - - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The trust domain aliases represent the aliases of trust_domain. - # For example, if we have - # trustDomain: td1 - # trustDomainAliases: [“td2”, "td3"] - # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", - # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. - trustDomainAliases: - - # Set expected values when SDS is disabled - # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get - # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. - sdsUdsPath: "" - - # This flag is used by secret discovery service(SDS). - # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount - # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which - # will be used to generate key/cert eventually. This isn't supported for non-k8s case. - enableSdsTokenMount: false - - # This flag is used by secret discovery service(SDS). - # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' - # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) - # and pass to sds server, which will be used to request key/cert eventually. - # this flag is ignored if enableSdsTokenMount is set. - # This isn't supported for non-k8s case. - sdsUseK8sSaJwt: false - - # If true, automatically configure client side mTLS settings to match the corresponding service's - # server side mTLS authentication policy, when destination rule for that service does not specify - # TLS settings. - enableAutoMtls: false - config_sources: - - address: localhost:15019 - - outboundTrafficPolicy: - mode: ALLOW_ANY - localityLbSetting: - enabled: true - - # Configures DNS certificates provisioned through Chiron linked into Pilot. - # The DNS certificate provisioning is enabled by default now so it get tested. - # TODO (lei-tang): we'll decide whether enable it by default or not before Istio 1.4 Release. - certificates: - [] - - defaultConfig: - # - # TCP connection timeout between Envoy & the application, and between Envoys. - connectTimeout: 10s - # - ### ADVANCED SETTINGS ############# - # Where should envoy's configuration be stored in the istio-proxy container - configPath: "/etc/istio/proxy" - # The pseudo service name used for Envoy. - serviceCluster: istio-proxy - # These settings that determine how long an old Envoy - # process should be kept alive after an occasional reload. - drainDuration: 45s - parentShutdownDuration: 1m0s - # - # Port where Envoy listens (on local host) for admin commands - # You can exec into the istio-proxy container in a pod and - # curl the admin port (curl http://localhost:15000/) to obtain - # diagnostic information from Envoy. See - # https://lyft.github.io/envoy/docs/operations/admin.html - # for more details - proxyAdminPort: 15000 - # - # Set concurrency to a specific number to control the number of Proxy worker threads. - # If set to 0 (default), then start worker thread for each CPU thread/core. - concurrency: 2 - # - tracing: - zipkin: - # Address of the Zipkin collector - address: zipkin.istio-system:9411 - # - # Mutual TLS authentication between sidecars and istio control plane. - controlPlaneAuthPolicy: MUTUAL_TLS - # - # Address where istio Pilot service is running - discoveryAddress: istio-pilot.istio-system:15011 ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: pilot - istio: pilot - release: istio - name: istio-pilot - namespace: istio-system -spec: - selector: - matchLabels: - istio: pilot - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: pilot - chart: pilot - heritage: Tiller - istio: pilot - release: istio - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - discovery - - --monitoringAddr=:15014 - - --log_output_level=default:info - - --domain - - cluster.local - - --secureGrpcAddr - - "" - - --trust-domain=cluster.local - - --keepaliveMaxServerConnectionAge - - 30m - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: PILOT_TRACE_SAMPLING - value: "1" - - name: CONFIG_NAMESPACE - value: istio-config - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: "true" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: "false" - image: docker.io/istio/pilot:1.4.5 - imagePullPolicy: IfNotPresent - name: discovery - ports: - - containerPort: 8080 - - containerPort: 15010 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 30 - timeoutSeconds: 5 - resources: - requests: - cpu: 500m - memory: 2048Mi - volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - - args: - - proxy - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --serviceCluster - - istio-pilot - - --templateFile - - /var/lib/envoy/envoy.yaml.tmpl - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SDS_ENABLED - value: "false" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15011 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /var/lib/envoy - name: pilot-envoy-config - - mountPath: /etc/certs - name: istio-certs - readOnly: true - serviceAccountName: istio-pilot-service-account - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.istio-pilot-service-account - - configMap: - name: istio - name: config-volume - - configMap: - name: pilot-envoy-config - name: pilot-envoy-config - ---- - - -apiVersion: "authentication.istio.io/v1alpha1" -kind: "MeshPolicy" -metadata: - name: "default" - labels: - release: istio -spec: - peers: - - mtls: - mode: PERMISSIVE ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-pilot - namespace: istio-system - labels: - app: pilot - release: istio - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: pilot - release: istio - istio: pilot ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-pilot - namespace: istio-system - labels: - app: pilot - release: istio - istio: pilot -spec: - ports: - - port: 15010 - name: grpc-xds # direct - - port: 15011 - name: https-xds # mTLS - - port: 8080 - name: http-legacy-discovery # direct - - port: 15014 - name: http-monitoring - selector: - istio: pilot ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-pilot-service-account - namespace: istio-system - labels: - app: pilot - release: istio ---- - -# Resources for Policy component - -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: mixer - release: istio - name: istio-policy - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-policy - ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-policy - labels: - release: istio - app: istio-policy -rules: -- apiGroups: ["config.istio.io"] # istio CRD watcher - resources: ["*"] - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-policy-admin-role-binding-istio-system - labels: - app: istio-policy - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-policy -subjects: - - kind: ServiceAccount - name: istio-policy-service-account - namespace: istio-system ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-policy - namespace: istio-system - labels: - app: istio-policy - release: istio -spec: - host: istio-policy.istio-system.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 15004 # grpc-mixer-mtls - tls: - mode: ISTIO_MUTUAL - - port: - number: 9091 # grpc-mixer - tls: - mode: DISABLE - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: istio-system - name: policy-envoy-config - labels: - release: istio -data: - # Explicitly defined - moved from istio/istio/pilot/docker. - envoy.yaml.tmpl: |- - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 15000 - stats_config: - use_all_default_tags: false - stats_tags: - - tag_name: cluster_name - regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)' - - tag_name: tcp_prefix - regex: '^tcp\.((.*?)\.)\w+?$' - - tag_name: response_code - regex: '_rq(_(\d{3}))$' - - tag_name: response_code_class - regex: '_rq(_(\dxx))$' - - tag_name: http_conn_manager_listener_prefix - regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - tag_name: http_conn_manager_prefix - regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - tag_name: listener_address - regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - static_resources: - clusters: - - name: prometheus_stats - type: STATIC - connect_timeout: 0.250s - lb_policy: ROUND_ROBIN - hosts: - - socket_address: - protocol: TCP - address: 127.0.0.1 - port_value: 15000 - - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - connect_timeout: 1.000s - hosts: - - pipe: - path: /sock/mixer.socket - http2_protocol_options: {} - name: inbound_9092 - - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - connect_timeout: 1.000s - hosts: - - socket_address: - address: istio-telemetry - port_value: 15004 - http2_protocol_options: {} - name: mixer_report_server - tls_context: - common_tls_context: - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - verify_subject_alt_name: - - spiffe://cluster.local/ns/istio-system/sa/istio-mixer-service-account - type: STRICT_DNS - dns_lookup_family: V4_ONLY - - - name: out.galley.15019 - http2_protocol_options: {} - connect_timeout: 1.000s - type: STRICT_DNS - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - hosts: - - socket_address: - address: istio-galley.istio-system - port_value: 15019 - tls_context: - common_tls_context: - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - verify_subject_alt_name: - - spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account - - listeners: - - name: "15090" - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 15090 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: AUTO - stat_prefix: stats - route_config: - virtual_hosts: - - name: backend - domains: - - '*' - routes: - - match: - prefix: /stats/prometheus - route: - cluster: prometheus_stats - http_filters: - - name: envoy.router - - - name: "15004" - address: - socket_address: - address: 0.0.0.0 - port_value: 15004 - filter_chains: - - filters: - - config: - codec_type: HTTP2 - http2_protocol_options: - max_concurrent_streams: 1073741824 - generate_request_id: true - http_filters: - - config: - default_destination_service: istio-policy.istio-system.svc.cluster.local - service_configs: - istio-policy.istio-system.svc.cluster.local: - disable_check_calls: true - {{- if .DisableReportCalls }} - disable_report_calls: true - {{- end }} - mixer_attributes: - attributes: - destination.service.host: - string_value: istio-policy.istio-system.svc.cluster.local - destination.service.uid: - string_value: istio://istio-system/services/istio-policy - destination.service.name: - string_value: istio-policy - destination.service.namespace: - string_value: istio-system - destination.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - destination.namespace: - string_value: istio-system - destination.ip: - bytes_value: {{ .PodIP }} - destination.port: - int64_value: 15004 - context.reporter.kind: - string_value: inbound - context.reporter.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - transport: - check_cluster: mixer_check_server - report_cluster: mixer_report_server - attributes_for_mixer_proxy: - attributes: - source.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - name: mixer - - name: envoy.router - route_config: - name: "15004" - virtual_hosts: - - domains: - - '*' - name: istio-policy.istio-system.svc.cluster.local - routes: - - decorator: - operation: Check - match: - prefix: / - route: - cluster: inbound_9092 - timeout: 0.000s - stat_prefix: "15004" - name: envoy.http_connection_manager - tls_context: - common_tls_context: - alpn_protocols: - - h2 - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - require_client_certificate: true - - - name: "9091" - address: - socket_address: - address: 0.0.0.0 - port_value: 9091 - filter_chains: - - filters: - - config: - codec_type: HTTP2 - http2_protocol_options: - max_concurrent_streams: 1073741824 - generate_request_id: true - http_filters: - - config: - default_destination_service: istio-policy.istio-system.svc.cluster.local - service_configs: - istio-policy.istio-system.svc.cluster.local: - disable_check_calls: true - {{- if .DisableReportCalls }} - disable_report_calls: true - {{- end }} - mixer_attributes: - attributes: - destination.service.host: - string_value: istio-policy.istio-system.svc.cluster.local - destination.service.uid: - string_value: istio://istio-system/services/istio-policy - destination.service.name: - string_value: istio-policy - destination.service.namespace: - string_value: istio-system - destination.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - destination.namespace: - string_value: istio-system - destination.ip: - bytes_value: {{ .PodIP }} - destination.port: - int64_value: 9091 - context.reporter.kind: - string_value: inbound - context.reporter.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - transport: - check_cluster: mixer_check_server - report_cluster: mixer_report_server - attributes_for_mixer_proxy: - attributes: - source.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - name: mixer - - name: envoy.router - route_config: - name: "9091" - virtual_hosts: - - domains: - - '*' - name: istio-policy.istio-system.svc.cluster.local - routes: - - decorator: - operation: Check - match: - prefix: / - route: - cluster: inbound_9092 - timeout: 0.000s - stat_prefix: "9091" - name: envoy.http_connection_manager - name: "9091" - - - name: "local.15019" - address: - socket_address: - address: 127.0.0.1 - port_value: 15019 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: HTTP2 - stat_prefix: "15019" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15019" - - virtual_hosts: - - name: istio-galley - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: out.galley.15019 - timeout: 0.000s ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istio-policy - istio: mixer - release: istio - name: istio-policy - namespace: istio-system -spec: - selector: - matchLabels: - istio: mixer - istio-mixer-type: policy - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: policy - istio: mixer - istio-mixer-type: policy - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - --monitoringPort=15014 - - --address - - unix:///sock/mixer.socket - - --log_output_level=default:info - - --configStoreURL=mcp://localhost:15019 - - --configDefaultNamespace=istio-system - - --useAdapterCRDs=false - - --useTemplateCRDs=false - - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: docker.io/istio/mixer:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /version - port: 15014 - initialDelaySeconds: 5 - periodSeconds: 5 - name: mixer - ports: - - containerPort: 9091 - - containerPort: 15014 - - containerPort: 42422 - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /sock - name: uds-socket - - mountPath: /var/run/secrets/istio.io/policy/adapter - name: policy-adapter-secret - readOnly: true - - args: - - proxy - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --serviceCluster - - istio-policy - - --templateFile - - /var/lib/envoy/envoy.yaml.tmpl - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SDS_ENABLED - value: "false" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15004 - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /var/lib/envoy - name: policy-envoy-config - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /sock - name: uds-socket - serviceAccountName: istio-policy-service-account - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.istio-policy-service-account - - emptyDir: {} - name: uds-socket - - name: policy-adapter-secret - secret: - optional: true - secretName: policy-adapter-secret - - configMap: - name: policy-envoy-config - name: policy-envoy-config - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-policy - namespace: istio-system - labels: - app: policy - release: istio - istio: mixer - istio-mixer-type: policy -spec: - minAvailable: 1 - selector: - matchLabels: - app: policy - istio: mixer - istio-mixer-type: policy ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-policy - namespace: istio-system - labels: - app: mixer - istio: mixer - release: istio -spec: - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-policy-monitoring - port: 15014 - selector: - istio: mixer - istio-mixer-type: policy ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-policy-service-account - namespace: istio-system - labels: - app: istio-policy - release: istio ---- - -# Resources for Prometheus component - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: prometheus-istio-system - labels: - app: prometheus - release: istio -rules: -- apiGroups: [""] - resources: - - nodes - - services - - endpoints - - pods - - nodes/proxy - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: - - configmaps - verbs: ["get"] -- nonResourceURLs: ["/metrics"] - verbs: ["get"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: prometheus-istio-system - labels: - app: prometheus - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus-istio-system -subjects: -- kind: ServiceAccount - name: prometheus - namespace: istio-system ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - name: prometheus - namespace: istio-system - labels: - app: prometheus - release: istio -data: - prometheus.yml: |- - global: - scrape_interval: 15s - scrape_configs: - - # Mixer scrapping. Defaults to Prometheus and mixer on same namespace. - # - - job_name: 'istio-mesh' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-telemetry;prometheus - - # Scrape config for envoy stats - - job_name: 'envoy-stats' - metrics_path: /stats/prometheus - kubernetes_sd_configs: - - role: pod - - relabel_configs: - - source_labels: [__meta_kubernetes_pod_container_port_name] - action: keep - regex: '.*-envoy-prom' - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:15090 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name - - - job_name: 'istio-policy' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-policy;http-policy-monitoring - - - job_name: 'istio-telemetry' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-telemetry;http-monitoring - - - job_name: 'pilot' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-pilot;http-monitoring - - - job_name: 'galley' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-galley;http-monitoring - - - job_name: 'citadel' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - istio-system - - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: istio-citadel;http-monitoring - - # scrape config for API servers - - job_name: 'kubernetes-apiservers' - kubernetes_sd_configs: - - role: endpoints - namespaces: - names: - - default - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - relabel_configs: - - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - action: keep - regex: kubernetes;https - - # scrape config for nodes (kubelet) - - job_name: 'kubernetes-nodes' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/${1}/proxy/metrics - - # Scrape config for Kubelet cAdvisor. - # - # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics - # (those whose names begin with 'container_') have been removed from the - # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to - # retrieve those metrics. - # - # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor - # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" - # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with - # the --cadvisor-port=0 Kubelet flag). - # - # This job is not necessary and should be removed in Kubernetes 1.6 and - # earlier versions, or it will cause the metrics to be scraped twice. - - job_name: 'kubernetes-cadvisor' - scheme: https - tls_config: - ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - kubernetes_sd_configs: - - role: node - relabel_configs: - - action: labelmap - regex: __meta_kubernetes_node_label_(.+) - - target_label: __address__ - replacement: kubernetes.default.svc:443 - - source_labels: [__meta_kubernetes_node_name] - regex: (.+) - target_label: __metrics_path__ - replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor - - # scrape config for service endpoints. - - job_name: 'kubernetes-service-endpoints' - kubernetes_sd_configs: - - role: endpoints - relabel_configs: - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] - action: keep - regex: true - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] - action: replace - target_label: __scheme__ - regex: (https?) - - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] - action: replace - target_label: __address__ - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - - action: labelmap - regex: __meta_kubernetes_service_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: kubernetes_namespace - - source_labels: [__meta_kubernetes_service_name] - action: replace - target_label: kubernetes_name - - - job_name: 'kubernetes-pods' - kubernetes_sd_configs: - - role: pod - relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true - - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] - action: drop - regex: (.+) - - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] - action: drop - regex: (true) - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name - - job_name: 'kubernetes-pods-istio-secure' - scheme: https - tls_config: - ca_file: /etc/istio-certs/root-cert.pem - cert_file: /etc/istio-certs/cert-chain.pem - key_file: /etc/istio-certs/key.pem - insecure_skip_verify: true # prometheus does not support secure naming. - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] - action: keep - regex: true - # sidecar status annotation is added by sidecar injector and - # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. - - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] - action: keep - regex: (([^;]+);([^;]*))|(([^;]*);(true)) - - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] - action: replace - target_label: __metrics_path__ - regex: (.+) - - source_labels: [__address__] # Only keep address that is host:port - action: keep # otherwise an extra target with ':443' is added for https scheme - regex: ([^:]+):(\d+) - - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] - action: replace - regex: ([^:]+)(?::\d+)?;(\d+) - replacement: $1:$2 - target_label: __address__ - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - - source_labels: [__meta_kubernetes_namespace] - action: replace - target_label: namespace - - source_labels: [__meta_kubernetes_pod_name] - action: replace - target_label: pod_name ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: prometheus - namespace: istio-system - labels: - app: prometheus - release: istio -spec: - replicas: 1 - selector: - matchLabels: - app: prometheus - template: - metadata: - labels: - app: prometheus - release: istio - annotations: - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: prometheus - containers: - - name: prometheus - image: "docker.io/prom/prometheus:v2.12.0" - imagePullPolicy: IfNotPresent - args: - - '--storage.tsdb.retention=6h' - - '--config.file=/etc/prometheus/prometheus.yml' - ports: - - containerPort: 9090 - name: http - livenessProbe: - httpGet: - path: /-/healthy - port: 9090 - readinessProbe: - httpGet: - path: /-/ready - port: 9090 - resources: - requests: - cpu: 10m - - volumeMounts: - - name: config-volume - mountPath: /etc/prometheus - - mountPath: /etc/istio-certs - name: istio-certs - volumes: - - name: config-volume - configMap: - name: prometheus - - name: istio-certs - secret: - defaultMode: 420 - secretName: istio.default - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - - weight: 2 - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x ---- - - -apiVersion: v1 -kind: Service -metadata: - name: prometheus - namespace: istio-system - annotations: - prometheus.io/scrape: 'true' - labels: - app: prometheus - release: istio -spec: - selector: - app: prometheus - ports: - - name: http-prometheus - protocol: TCP - port: 9090 ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: prometheus - namespace: istio-system - labels: - app: prometheus - release: istio ---- - -# PrometheusOperator component is disabled. - -# Resources for Telemetry component - -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: mixer - release: istio - name: istio-telemetry - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-telemetry - ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-mixer-istio-system - labels: - app: istio-telemetry - release: istio -rules: -- apiGroups: ["config.istio.io"] # istio CRD watcher - resources: ["*"] - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions", "apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-mixer-admin-role-binding-istio-system - labels: - app: istio-telemetry - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-mixer-istio-system -subjects: - - kind: ServiceAccount - name: istio-mixer-service-account - namespace: istio-system ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: attributemanifest -metadata: - name: istioproxy - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - attributes: - origin.ip: - valueType: IP_ADDRESS - origin.uid: - valueType: STRING - origin.user: - valueType: STRING - request.headers: - valueType: STRING_MAP - request.id: - valueType: STRING - request.host: - valueType: STRING - request.method: - valueType: STRING - request.path: - valueType: STRING - request.url_path: - valueType: STRING - request.query_params: - valueType: STRING_MAP - request.reason: - valueType: STRING - request.referer: - valueType: STRING - request.scheme: - valueType: STRING - request.total_size: - valueType: INT64 - request.size: - valueType: INT64 - request.time: - valueType: TIMESTAMP - request.useragent: - valueType: STRING - response.code: - valueType: INT64 - response.duration: - valueType: DURATION - response.headers: - valueType: STRING_MAP - response.total_size: - valueType: INT64 - response.size: - valueType: INT64 - response.time: - valueType: TIMESTAMP - response.grpc_status: - valueType: STRING - response.grpc_message: - valueType: STRING - source.uid: - valueType: STRING - source.user: # DEPRECATED - valueType: STRING - source.principal: - valueType: STRING - destination.uid: - valueType: STRING - destination.principal: - valueType: STRING - destination.port: - valueType: INT64 - connection.event: - valueType: STRING - connection.id: - valueType: STRING - connection.received.bytes: - valueType: INT64 - connection.received.bytes_total: - valueType: INT64 - connection.sent.bytes: - valueType: INT64 - connection.sent.bytes_total: - valueType: INT64 - connection.duration: - valueType: DURATION - connection.mtls: - valueType: BOOL - connection.requested_server_name: - valueType: STRING - context.protocol: - valueType: STRING - context.proxy_error_code: - valueType: STRING - context.timestamp: - valueType: TIMESTAMP - context.time: - valueType: TIMESTAMP - # Deprecated, kept for compatibility - context.reporter.local: - valueType: BOOL - context.reporter.kind: - valueType: STRING - context.reporter.uid: - valueType: STRING - context.proxy_version: - valueType: STRING - api.service: - valueType: STRING - api.version: - valueType: STRING - api.operation: - valueType: STRING - api.protocol: - valueType: STRING - request.auth.principal: - valueType: STRING - request.auth.audiences: - valueType: STRING - request.auth.presenter: - valueType: STRING - request.auth.claims: - valueType: STRING_MAP - request.auth.raw_claims: - valueType: STRING - request.api_key: - valueType: STRING - rbac.permissive.response_code: - valueType: STRING - rbac.permissive.effective_policy_id: - valueType: STRING - check.error_code: - valueType: INT64 - check.error_message: - valueType: STRING - check.cache_hit: - valueType: BOOL - quota.cache_hit: - valueType: BOOL ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: attributemanifest -metadata: - name: kubernetes - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - attributes: - source.ip: - valueType: IP_ADDRESS - source.labels: - valueType: STRING_MAP - source.metadata: - valueType: STRING_MAP - source.name: - valueType: STRING - source.namespace: - valueType: STRING - source.owner: - valueType: STRING - source.serviceAccount: - valueType: STRING - source.services: - valueType: STRING - source.workload.uid: - valueType: STRING - source.workload.name: - valueType: STRING - source.workload.namespace: - valueType: STRING - destination.ip: - valueType: IP_ADDRESS - destination.labels: - valueType: STRING_MAP - destination.metadata: - valueType: STRING_MAP - destination.owner: - valueType: STRING - destination.name: - valueType: STRING - destination.container.name: - valueType: STRING - destination.namespace: - valueType: STRING - destination.service.uid: - valueType: STRING - destination.service.name: - valueType: STRING - destination.service.namespace: - valueType: STRING - destination.service.host: - valueType: STRING - destination.serviceAccount: - valueType: STRING - destination.workload.uid: - valueType: STRING - destination.workload.name: - valueType: STRING - destination.workload.namespace: - valueType: STRING ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestcount - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestduration - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: response.duration | "0ms" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: requestsize - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: request.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: responsesize - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: response.size | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - request_protocol: api.protocol | context.protocol | "unknown" - response_code: response.code | 200 - response_flags: context.proxy_error_code | "-" - permissive_response_code: rbac.permissive.response_code | "none" - permissive_response_policyid: rbac.permissive.effective_policy_id | "none" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpbytesent - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: connection.sent.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpbytereceived - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: connection.received.bytes | 0 - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpconnectionsopened - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: tcpconnectionsclosed - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: metric - params: - value: "1" - dimensions: - reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") - source_workload: source.workload.name | "unknown" - source_workload_namespace: source.workload.namespace | "unknown" - source_principal: source.principal | "unknown" - source_app: source.labels["app"] | "unknown" - source_version: source.labels["version"] | "unknown" - destination_workload: destination.workload.name | "unknown" - destination_workload_namespace: destination.workload.namespace | "unknown" - destination_principal: destination.principal | "unknown" - destination_app: destination.labels["app"] | "unknown" - destination_version: destination.labels["version"] | "unknown" - destination_service: destination.service.host | "unknown" - destination_service_name: destination.service.name | "unknown" - destination_service_namespace: destination.service.namespace | "unknown" - connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) - response_flags: context.proxy_error_code | "-" - monitored_resource_type: '"UNSPECIFIED"' ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: handler -metadata: - name: prometheus - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledAdapter: prometheus - params: - metricsExpirationPolicy: - metricsExpiryDuration: "10m" - metrics: - - name: requests_total - instance_name: requestcount.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - - name: request_duration_seconds - instance_name: requestduration.instance.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - explicit_buckets: - bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - - name: request_bytes - instance_name: requestsize.instance.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: response_bytes - instance_name: responsesize.instance.istio-system - kind: DISTRIBUTION - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - request_protocol - - response_code - - response_flags - - permissive_response_code - - permissive_response_policyid - - connection_security_policy - buckets: - exponentialBuckets: - numFiniteBuckets: 8 - scale: 1 - growthFactor: 10 - - name: tcp_sent_bytes_total - instance_name: tcpbytesent.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_received_bytes_total - instance_name: tcpbytereceived.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_connections_opened_total - instance_name: tcpconnectionsopened.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags - - name: tcp_connections_closed_total - instance_name: tcpconnectionsclosed.instance.istio-system - kind: COUNTER - label_names: - - reporter - - source_app - - source_principal - - source_workload - - source_workload_namespace - - source_version - - destination_app - - destination_principal - - destination_workload - - destination_workload_namespace - - destination_version - - destination_service - - destination_service_name - - destination_service_namespace - - connection_security_policy - - response_flags ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promhttp - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) - actions: - - handler: prometheus - instances: - - requestcount - - requestduration - - requestsize - - responsesize ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcp - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" - actions: - - handler: prometheus - instances: - - tcpbytesent - - tcpbytereceived ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcpconnectionopen - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" && ((connection.event | "na") == "open") - actions: - - handler: prometheus - instances: - - tcpconnectionsopened ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: promtcpconnectionclosed - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" && ((connection.event | "na") == "close") - actions: - - handler: prometheus - instances: - - tcpconnectionsclosed ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: handler -metadata: - name: kubernetesenv - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledAdapter: kubernetesenv - params: - # when running from mixer root, use the following config after adding a - # symbolic link to a kubernetes config file via: - # - # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig - # - # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: kubeattrgenrulerule - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - actions: - - handler: kubernetesenv - instances: - - attributes ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: rule -metadata: - name: tcpkubeattrgenrulerule - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - match: context.protocol == "tcp" - actions: - - handler: kubernetesenv - instances: - - attributes ---- - - -apiVersion: "config.istio.io/v1alpha2" -kind: instance -metadata: - name: attributes - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - compiledTemplate: kubernetes - params: - # Pass the required attribute data to the adapter - source_uid: source.uid | "" - source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr - destination_uid: destination.uid | "" - destination_port: destination.port | 0 - attributeBindings: - # Fill the new attributes from the adapter produced output. - # $out refers to an instance of OutputTemplate message - source.ip: $out.source_pod_ip | ip("0.0.0.0") - source.uid: $out.source_pod_uid | "unknown" - source.labels: $out.source_labels | emptyStringMap() - source.name: $out.source_pod_name | "unknown" - source.namespace: $out.source_namespace | "default" - source.owner: $out.source_owner | "unknown" - source.serviceAccount: $out.source_service_account_name | "unknown" - source.workload.uid: $out.source_workload_uid | "unknown" - source.workload.name: $out.source_workload_name | "unknown" - source.workload.namespace: $out.source_workload_namespace | "unknown" - destination.ip: $out.destination_pod_ip | ip("0.0.0.0") - destination.uid: $out.destination_pod_uid | "unknown" - destination.labels: $out.destination_labels | emptyStringMap() - destination.name: $out.destination_pod_name | "unknown" - destination.container.name: $out.destination_container_name | "unknown" - destination.namespace: $out.destination_namespace | "default" - destination.owner: $out.destination_owner | "unknown" - destination.serviceAccount: $out.destination_service_account_name | "unknown" - destination.workload.uid: $out.destination_workload_uid | "unknown" - destination.workload.name: $out.destination_workload_name | "unknown" - destination.workload.namespace: $out.destination_workload_namespace | "unknown" ---- - - -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: istio-telemetry - namespace: istio-system - labels: - app: istio-telemetry - release: istio -spec: - host: istio-telemetry.istio-system.svc.cluster.local - trafficPolicy: - portLevelSettings: - - port: - number: 15004 # grpc-mixer-mtls - tls: - mode: ISTIO_MUTUAL - - port: - number: 9091 # grpc-mixer - tls: - mode: DISABLE - connectionPool: - http: - http2MaxRequests: 10000 - maxRequestsPerConnection: 10000 ---- - - -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: istio-system - name: telemetry-envoy-config - labels: - release: istio -data: - # Explicitly defined - moved from istio/istio/pilot/docker. - envoy.yaml.tmpl: |- - admin: - access_log_path: /dev/null - address: - socket_address: - address: 127.0.0.1 - port_value: 15000 - stats_config: - use_all_default_tags: false - stats_tags: - - tag_name: cluster_name - regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)' - - tag_name: tcp_prefix - regex: '^tcp\.((.*?)\.)\w+?$' - - tag_name: response_code - regex: '_rq(_(\d{3}))$' - - tag_name: response_code_class - regex: '_rq(_(\dxx))$' - - tag_name: http_conn_manager_listener_prefix - regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - tag_name: http_conn_manager_prefix - regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - tag_name: listener_address - regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - - static_resources: - clusters: - - name: prometheus_stats - type: STATIC - connect_timeout: 0.250s - lb_policy: ROUND_ROBIN - hosts: - - socket_address: - protocol: TCP - address: 127.0.0.1 - port_value: 15000 - - - name: inbound_9092 - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - connect_timeout: 1.000s - hosts: - - pipe: - path: /sock/mixer.socket - http2_protocol_options: {} - - - name: out.galley.15019 - http2_protocol_options: {} - connect_timeout: 1.000s - type: STRICT_DNS - - circuit_breakers: - thresholds: - - max_connections: 100000 - max_pending_requests: 100000 - max_requests: 100000 - max_retries: 3 - hosts: - - socket_address: - address: istio-galley.istio-system - port_value: 15019 - tls_context: - common_tls_context: - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - verify_subject_alt_name: - - spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account - - listeners: - - name: "15090" - address: - socket_address: - protocol: TCP - address: 0.0.0.0 - port_value: 15090 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: AUTO - stat_prefix: stats - route_config: - virtual_hosts: - - name: backend - domains: - - '*' - routes: - - match: - prefix: /stats/prometheus - route: - cluster: prometheus_stats - http_filters: - - name: envoy.router - - - name: "15004" - address: - socket_address: - address: 0.0.0.0 - port_value: 15004 - filter_chains: - - filters: - - config: - codec_type: HTTP2 - http2_protocol_options: - max_concurrent_streams: 1073741824 - generate_request_id: true - http_filters: - - config: - default_destination_service: istio-telemetry.istio-system.svc.cluster.local - service_configs: - istio-telemetry.istio-system.svc.cluster.local: - disable_check_calls: true - {{- if .DisableReportCalls }} - disable_report_calls: true - {{- end }} - mixer_attributes: - attributes: - destination.service.host: - string_value: istio-telemetry.istio-system.svc.cluster.local - destination.service.uid: - string_value: istio://istio-system/services/istio-telemetry - destination.service.name: - string_value: istio-telemetry - destination.service.namespace: - string_value: istio-system - destination.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - destination.namespace: - string_value: istio-system - destination.ip: - bytes_value: {{ .PodIP }} - destination.port: - int64_value: 15004 - context.reporter.kind: - string_value: inbound - context.reporter.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - transport: - check_cluster: mixer_check_server - report_cluster: inbound_9092 - name: mixer - - name: envoy.router - route_config: - name: "15004" - virtual_hosts: - - domains: - - '*' - name: istio-telemetry.istio-system.svc.cluster.local - routes: - - decorator: - operation: Report - match: - prefix: / - route: - cluster: inbound_9092 - timeout: 0.000s - stat_prefix: "15004" - name: envoy.http_connection_manager - tls_context: - common_tls_context: - alpn_protocols: - - h2 - tls_certificates: - - certificate_chain: - filename: /etc/certs/cert-chain.pem - private_key: - filename: /etc/certs/key.pem - validation_context: - trusted_ca: - filename: /etc/certs/root-cert.pem - require_client_certificate: true - - - name: "9091" - address: - socket_address: - address: 0.0.0.0 - port_value: 9091 - filter_chains: - - filters: - - config: - codec_type: HTTP2 - http2_protocol_options: - max_concurrent_streams: 1073741824 - generate_request_id: true - http_filters: - - config: - default_destination_service: istio-telemetry.istio-system.svc.cluster.local - service_configs: - istio-telemetry.istio-system.svc.cluster.local: - disable_check_calls: true - {{- if .DisableReportCalls }} - disable_report_calls: true - {{- end }} - mixer_attributes: - attributes: - destination.service.host: - string_value: istio-telemetry.istio-system.svc.cluster.local - destination.service.uid: - string_value: istio://istio-system/services/istio-telemetry - destination.service.name: - string_value: istio-telemetry - destination.service.namespace: - string_value: istio-system - destination.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - destination.namespace: - string_value: istio-system - destination.ip: - bytes_value: {{ .PodIP }} - destination.port: - int64_value: 9091 - context.reporter.kind: - string_value: inbound - context.reporter.uid: - string_value: kubernetes://{{ .PodName }}.istio-system - transport: - check_cluster: mixer_check_server - report_cluster: inbound_9092 - name: mixer - - name: envoy.router - route_config: - name: "9091" - virtual_hosts: - - domains: - - '*' - name: istio-telemetry.istio-system.svc.cluster.local - routes: - - decorator: - operation: Report - match: - prefix: / - route: - cluster: inbound_9092 - timeout: 0.000s - stat_prefix: "9091" - name: envoy.http_connection_manager - - - name: "local.15019" - address: - socket_address: - address: 127.0.0.1 - port_value: 15019 - filter_chains: - - filters: - - name: envoy.http_connection_manager - config: - codec_type: HTTP2 - stat_prefix: "15019" - http2_protocol_options: - max_concurrent_streams: 1073741824 - - access_log: - - name: envoy.file_access_log - config: - path: /dev/stdout - - http_filters: - - name: envoy.router - - route_config: - name: "15019" - - virtual_hosts: - - name: istio-galley - - domains: - - '*' - - routes: - - match: - prefix: / - route: - cluster: out.galley.15019 - timeout: 0.000s ---- - - -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istio-mixer - istio: mixer - release: istio - name: istio-telemetry - namespace: istio-system -spec: - replicas: 1 - selector: - matchLabels: - istio: mixer - istio-mixer-type: telemetry - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: telemetry - istio: mixer - istio-mixer-type: telemetry - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - ppc64le - weight: 2 - - preference: - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - s390x - weight: 2 - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - - ppc64le - - s390x - containers: - - args: - - --monitoringPort=15014 - - --address - - unix:///sock/mixer.socket - - --log_output_level=default:info - - --configStoreURL=mcp://localhost:15019 - - --configDefaultNamespace=istio-system - - --useAdapterCRDs=false - - --useTemplateCRDs=false - - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: GOMAXPROCS - value: "6" - image: docker.io/istio/mixer:1.4.5 - imagePullPolicy: IfNotPresent - livenessProbe: - httpGet: - path: /version - port: 15014 - initialDelaySeconds: 5 - periodSeconds: 5 - name: mixer - ports: - - containerPort: 9091 - - containerPort: 15014 - - containerPort: 42422 - resources: - limits: - cpu: 4800m - memory: 4G - requests: - cpu: 1000m - memory: 1G - volumeMounts: - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /sock - name: uds-socket - - mountPath: /var/run/secrets/istio.io/telemetry/adapter - name: telemetry-adapter-secret - readOnly: true - - args: - - proxy - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --serviceCluster - - istio-telemetry - - --templateFile - - /var/lib/envoy/envoy.yaml.tmpl - - --controlPlaneAuthPolicy - - MUTUAL_TLS - - --trust-domain=cluster.local - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SDS_ENABLED - value: "false" - image: docker.io/istio/proxyv2:1.4.5 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15004 - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - mountPath: /var/lib/envoy - name: telemetry-envoy-config - - mountPath: /etc/certs - name: istio-certs - readOnly: true - - mountPath: /sock - name: uds-socket - serviceAccountName: istio-mixer-service-account - volumes: - - name: istio-certs - secret: - optional: true - secretName: istio.istio-mixer-service-account - - emptyDir: {} - name: uds-socket - - name: telemetry-adapter-secret - secret: - optional: true - secretName: telemetry-adapter-secret - - configMap: - name: telemetry-envoy-config - name: telemetry-envoy-config - ---- - - -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istio-telemetry - namespace: istio-system - labels: - app: telemetry - release: istio - istio: mixer - istio-mixer-type: telemetry -spec: - minAvailable: 1 - selector: - matchLabels: - app: telemetry - istio: mixer - istio-mixer-type: telemetry ---- - - -apiVersion: v1 -kind: Service -metadata: - name: istio-telemetry - namespace: istio-system - labels: - app: mixer - istio: mixer - release: istio -spec: - ports: - - name: grpc-mixer - port: 9091 - - name: grpc-mixer-mtls - port: 15004 - - name: http-monitoring - port: 15014 - - name: prometheus - port: 42422 - selector: - istio: mixer - istio-mixer-type: telemetry ---- - - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-mixer-service-account - namespace: istio-system - labels: - app: istio-telemetry - release: istio ---- - -# Tracing component is disabled. - diff --git a/terraform/.DS_Store b/terraform/.DS_Store new file mode 100644 index 0000000..0312566 Binary files /dev/null and b/terraform/.DS_Store differ diff --git a/terraform/ansible/haproxy.cfg b/terraform/ansible/haproxy.cfg new file mode 100644 index 0000000..9e1e65e --- /dev/null +++ b/terraform/ansible/haproxy.cfg @@ -0,0 +1,21 @@ +haproxy provided by https://docs.kublr.com/articles/onprem-multimaster/ + +frontend kubernetes-api + bind 10.0.2.2:6443 + bind 127.0.0.1:6443 + mode tcp + option tcplog + timeout client 300000 + default_backend kubernetes-api + +backend kubernetes-api + mode tcp + option tcplog + option tcp-check + timeout server 300000 + balance roundrobin + default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100 + + server apiserver1 10.0.2.10:6443 check + server apiserver2 10.0.2.11:6443 check + server apiserver3 10.0.2.12:6443 check \ No newline at end of file diff --git a/terraform/ansible/hosts b/terraform/ansible/hosts new file mode 100644 index 0000000..082bee3 --- /dev/null +++ b/terraform/ansible/hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost +10.0.2.2 loadbalancer +10.0.2.10 master1 +10.0.2.11 master2 +10.0.2.12 master3 +10.0.2.20 worker1 \ No newline at end of file diff --git a/terraform/ansible/mainMaster.yml b/terraform/ansible/mainMaster.yml new file mode 100644 index 0000000..3b7dd3a --- /dev/null +++ b/terraform/ansible/mainMaster.yml @@ -0,0 +1,36 @@ +- hosts: MainMaster + tasks: + - name: disable swap + command: swapoff -a + ignore_errors: yes + - name: force reset kubeadm for safety + command: kubeadm reset -f + - name: generateCert + command: kubeadm alpha certs certificate-key + register: cert + - name: kubeadm init + command: kubeadm init --control-plane-endpoint "10.0.2.2:6443" --upload-certs --certificate-key {{ cert.stdout }} + ignore_errors: no + - name: create .kube directory + command: mkdir ~/.kube + ignore_errors: yes + - name: ensure dns server + command: echo "nameserver 8.8.8.8" > /etc/resolv.conf + - name: setup kubeconfig + command: cp /etc/kubernetes/admin.conf ~/.kube/config + - name: copy install weave + copy: + src: ~/installWeave.sh + dest: ~/installWeave.sh + ignore_errors: yes + - name: make executable + command: chmod +x installWeave.sh + - name: weave setup + command: sh ~/installWeave.sh + - name: generate worker join command + command: kubeadm token create --print-join-command + register: joinOutput + - name: save worker join + local_action: copy content={{ joinOutput.stdout }} dest=~/join.sh + - name: save master join + local_action: copy content="{{ joinOutput.stdout }} --control-plane --certificate-key {{ cert.stdout }}" dest=~/joinMaster.sh diff --git a/terraform/ansible/secondaryMasters.yml b/terraform/ansible/secondaryMasters.yml new file mode 100644 index 0000000..3d16cd0 --- /dev/null +++ b/terraform/ansible/secondaryMasters.yml @@ -0,0 +1,12 @@ +- hosts: SecondaryMasters + tasks: + - name: reset kubeadm for safety + command: kubeadm reset -f + - name: copy join command + copy: + src: joinMaster.sh + dest: join.sh + - name: make executable + command: chmod +x join.sh + - name: run join + command: sh ./join.sh \ No newline at end of file diff --git a/terraform/ansible/setup.yml b/terraform/ansible/setup.yml new file mode 100644 index 0000000..716e52d --- /dev/null +++ b/terraform/ansible/setup.yml @@ -0,0 +1,91 @@ +- hosts: all + tasks: + - name: test connection + ping: + - name: add kubernetes repo + yum_repository: + name: kubernetes + description: "some repo" + baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 + enabled: yes + gpgcheck: yes + repo_gpgcheck: yes + gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg + - name: copy hosts file + copy: + src: hosts + dest: /etc/hosts + - name: ensure dns is in resolvconf + command: echo "nameserver 8.8.8.8" > /etc/resolv.conf + - name: setenforce 0 (linux perm step 1) + command: setenforce 0 + - name: linux perm step 2 + replace: + path: /etc/selinux/config + regexp: 'SELINUX=enforcing' + after: 'SELINUX=permissive' + - name: update all packages + yum: + name: '*' + state: latest + - name: install kubernetes requirements + yum: + name: "{{ requirements }}" + vars: + requirements: + - docker + - kubeadm + - kubectl + - kubelet + - name: enable and start docker service + service: + name: docker + enabled: yes + state: started + - name: enable and start kubelet service + service: + name: kubelet + enabled: yes + state: started + - name: open port 6443 tcp + firewalld: + zone: public + permanent: yes + state: enabled + port: 6443/tcp + - name: open port 10250 tcp + firewalld: + zone: public + permanent: yes + state: enabled + port: 10250/tcp + - name: open port 443 tcp + firewalld: + zone: public + permanent: yes + state: enabled + port: 443/tcp + +- hosts: Workers + tasks: + - name: open port range 30000-32767 tcp + firewalld: + zone: public + permanent: yes + state: enabled + port: 30000-32767/tcp + +- hosts: Masters + tasks: + - name: open port range 2379-2380 tcp (etcd) + firewalld: + zone: public + permanent: yes + state: enabled + port: 2379-2380/tcp + - name: open port 10251-10252 tcp (scheduler and controller manager) + firewalld: + zone: public + permanent: yes + state: enabled + port: 10251-10252/tcp \ No newline at end of file diff --git a/terraform/terraform.tf b/terraform/terraform.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars new file mode 100644 index 0000000..eff6c09 --- /dev/null +++ b/terraform/terraform.tfvars @@ -0,0 +1,3 @@ +project = "flowfactor" +region = "europe-west" +name = "ff-stage-euw1-" \ No newline at end of file